Top videoconferencing attacks and security best practices

Videoconferencing has become a routine part of everyday life for remote workers, students, and families. Yet widespread adoption of this technology has also attracted nefarious characters whose motivations can range from simple disruption to full-out espionage. It’s important to understand these threats and how secure configuration of videoconferencing systems can improve the overall security of an organization and individual everyday users. Common videoconferencing attacks Making sure your videoconferencing technology is set up securely can help … More

The post Top videoconferencing attacks and security best practices appeared first on Help Net Security.

Cybersecurity sales: Do you have what it takes to succeed?

Technology is at the heart of the world economy, and we’re moving into a new age of business where its technology – not people – is becoming the differentiator, says Terry Greer-King, VP EMEA at SonicWall. From engineering to sales to cybersecurity sales Though he started his working life in electronics engineering, the world of sales and marketing “really lit a fire,” and he’s been growing his career for years by purposely seeking sales experience … More

The post Cybersecurity sales: Do you have what it takes to succeed? appeared first on Help Net Security.

Review: Code42 Incydr – SaaS data risk detection and response

Incydr is Code42’s new SaaS data risk detection and response solution, which enables security teams to mitigate file exposure and exfiltration risk without disrupting legitimate collaboration. Code42 focuses on the problems related to the massive “work from home” shift, i.e., the fact that many different collaboration tools are being used within global enterprises. While those tools allow people to collaborate more efficiently, they also allow them to share sensitive company data. Unfortunately, traditional security tools … More

The post Review: Code42 Incydr – SaaS data risk detection and response appeared first on Help Net Security.

Three ways formal methods can scale for software security

Security is not like paint: it can’t just be applied after a system has been completed. Instead, security has to be built into the system design. But how can we know that a system design is secure against a particular attack? And how can we know that the system implements that design correctly? The key problem, on one hand, is that system design specifications are often ambiguous and incomplete, with specifications (if they exist at … More

The post Three ways formal methods can scale for software security appeared first on Help Net Security.

2020 set the stage for cybersecurity priorities in 2021

It’s safe to assume that pretty much everyone is ready to move on from 2020. Between the COVID-19 pandemic, political battles, and social unrest, this has been a stressful year in so many ways. It has also been a very active year for cybercriminals and fraudsters who have preyed on people’s fears and vulnerabilities to push new scams. They’ve spoofed government health sites to trick people into clicking on malware links. They’ve targeted food delivery … More

The post 2020 set the stage for cybersecurity priorities in 2021 appeared first on Help Net Security.

2021 will overburden already stressed infosec teams

The year 2020 has given us a contentious U.S. election, a global economic crisis, and most notably a global pandemic. Disinformation has wreaked havoc in our ability to discern fact from truth, ransomware has been delivering ever more serious consequences, and insider leaks continue to validate privacy concerns despite increased adoption of privacy laws across the globe. According to a recent study published by Webroot, there has been a 40% increase in unsecured RDP-enabled machines … More

The post 2021 will overburden already stressed infosec teams appeared first on Help Net Security.

SaaS security in 2021

The migration toward subscription-based services via the SaaS business model isn’t new this year — it’s part of a larger shift away from on-premises datacenters, applications, etc., that has been underway for years. The pandemic accelerated the shift, boosting SaaS subscriptions as companies looked for virtual collaboration and meeting tools. What is new on a larger scale is the way employees interact with business applications, and that has implications for IT departments worldwide. As a … More

The post SaaS security in 2021 appeared first on Help Net Security.

Tech’s bigger role in pharma industry demands stronger security measures

For healthcare and pharmaceutical IT professionals, the launch of Amazon Pharmacy in late November signaled the acceleration of digitized pharma. But Amazon’s move into prescription fulfillment and delivery should be seen as part of a broader trend. As technology companies big and small move to disrupt healthcare, companies along the pharmaceutical supply chain will need to adapt in order to succeed (and keep succeeding). With new data showing half of all baby boomers now ordering … More

The post Tech’s bigger role in pharma industry demands stronger security measures appeared first on Help Net Security.

Three reasons why context is key to narrowing your attack surface

2020 has been a year of radical change for cybersecurity. Lockdowns forced businesses to find new ways to maintain continuity. As a result, digital transformation initiatives have accelerated from three-year initiatives to three-month sprints. Many organizations ended up “leaping before looking” to the cloud. This accelerated digital transformation served as a forcing function that brought IT and security together to reconcile legacy technology, identify risks in the supply chain, narrow the expanding attack surface and … More

The post Three reasons why context is key to narrowing your attack surface appeared first on Help Net Security.

How do I select a data control solution for my business?

Data transparency allows people to know what personal data has been collected, what data an organization wants to collect and how it will be used. Data control provides the end-user with choice and authority over what is collected and even where it is shared. Together the two lead to a competitive edge, as 85% of consumers say they will take their business elsewhere if they do not trust how a company is handling their data. … More

The post How do I select a data control solution for my business? appeared first on Help Net Security.

Hackers breached U.S. government agencies via compromised SolarWinds Orion software

A “highly sophisticated” hacking group has breached the U.S. Treasury Department, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA), other government agencies and private sector companies (including, apparently, FireEye) via compromised SolarWinds Orion software.

A supply chain attack

According to reports by FireEye and Microsoft, the hacking group managed to insert a backdoor (signed with SolarWinds’ legitimate certificates) into a DLL file used by the SolarWinds Orion platform, which organizations use for IT monitoring and management.

compromised SolarWinds Orion

“Although we do not know how the backdoor code made it into the library, from the recent campaigns, research indicates that the attackers might have compromised internal build or distribution systems of SolarWinds,” Microsoft noted, and added that the backdoor was distributed via automatic update platforms or systems in target networks.

Once inside, the attackers moved laterally and proceeded to steal data.

According to Microsoft, they used administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token-signing certificate and they forged SAML tokens that impersonate any of the organization’s existing users and accounts (which allowed them to access to on-premises and cloud resources). They also made changes to the organizations’ Azure Active Directory settings to facilitate long term access.

SolarWinds has confirmed that SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020, have been compromised and that a “clean” version (2020.2.1 HF 1) is now available for download.

“An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements,” the company noted.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive instructing “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

Who’s behind these attacks?

SolarWinds’ customers include US telecoms, all five branches of the US Military, various US federal agencies (including the Pentagon, State Department, and the Office of the President of the United States), more than 425 of the US Fortune 500 companies, and many higher education institutions.

FireEye says that this campaign may have begun as early as Spring 2020 and the attackers gained access to government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.

Washington Post sources say that the hacker group behind these attacks is APT29 (aka Cozy Bear), which has ties with the Russian Foreign Intelligence Service. Kremlin spokesman Dmitry Peskov said that Russia had nothing to do with the attacks on the U.S. Treasury and Commerce departments.

UPDATE (December 14, 2020, 8:40 a.m. PT):

SolarWinds has filed a report with the U.S. SEC, in which it stated that “the vulnerability … was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products.”

Also, that it “currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000,” and that the attackers likely breached the company by compromising company emails (they use Microsoft Office 365 for its email and office productivity tools).

What’s at stake in the Computer Fraud and Abuse Act (CFAA)

Two weeks ago, the Supreme Court heard oral arguments in Van Buren vs. United States, the landmark case over the Computer Fraud and Abuse Act (CFAA). Nathan Van Buren, the petitioner in the case, is a former police officer in Georgia who used his lawful access to a police license plate database to look someone up in exchange for money. Van Buren was indicted and convicted of violating the CFAA for using his legal access to the database in a way it was not intended.

CFAA

The fundamental question presented to the Supreme Court is whether someone who has authorized access to a computer violates federal law if he or she accesses the same information in an unauthorized way. While the question may seem trivial, this is a welcome and long overdue court case that could have a major impact on security researchers, consumers, and corporations alike.

Intended as the United States’ first anti-hacking law, the CFAA was enacted almost thirty-five years ago, long before lawyers and technologists had any sense of how the Internet would proliferate and evolve. In fact, the Act is outdated enough that it specifically excludes typewriters and portable hand-held calculators as a type of computer.

Since its inception, it has been robustly applied for basic terms and services breaches, like the infamous case of Aaron Swartz downloading articles from the digital library JSTOR, to indicting nation-state hackers and extraditing Julian Assange.

The core of the problem lies in the vague, perhaps even draconian, description of “unauthorized” computer use. While the law has been amended several times, including to clarify the definition of a protected computer, the ambiguity of unauthorized access puts the average consumer at risk of breaking federal law. According to the Ninth Circuit, you could potentially be committing a felony by sharing subscription passwords.

The stakes are particularly high for security researchers who identify vulnerabilities for companies without safe harbor or bug bounty programs. White-hat hackers, who act in good faith to report vulnerabilities to a company before it is breached, face the same legal risks as cybercriminals who actively exploit and profit from those vulnerabilities. Say, for example, that a security researcher has identified a significant vulnerability in the pacemaker that a healthcare company produces. If the healthcare company hasn’t published a safe harbor agreement, that security researcher could face up to ten years in prison for reporting a vulnerability that could potentially save someone’s life.

On the less drastic side, security researchers who work with companies to protect their systems face legal risk in their day-to-day activities. During a penetration test, for example, a client will list assets that are “in scope” for testing, as well as state what tests are prohibited (e.g., any action that causes a denial of service and crashes a server). A penetration tester could face legal liability and prison time for inadvertently testing the wrong asset that is “out of scope”—or accidentally executing a test that breaches authorized use. Arguably, engineers could face the same legal liability if they access the wrong database or push the wrong code.

On one hand, the broad and ambiguous language of the CFAA provides robust legal protection for companies and facilitates federal resources, like the FBI, if a significant breach occurs. Some companies have argued that narrowing the scope of the CFAA would not be damaging to security programs if companies are already contracting security services, including crowdsourced programs like bug bounty. One company received pushback from the information security community when it accused MIT security researchers of acting in “bad faith” by identifying vulnerabilities in its mobile app. Some companies have argued that the difficulty of attribution, meaning the ability to accurately identify a threat actor, makes it difficult to distinguish good actors from cybercriminals.

Yet the CFAA is a reactive measure that would be enforced following an incident. Companies should ideally be focused on preventative measures to protect against a breach before it occurs. It is arguably to the detriment of companies like Voatz, which serves the public through its voting app, that the CFAA is so broad, since security researchers may choose not to investigate or report vulnerabilities due to the possibility that they could be reported to the FBI. While attribution can be incredibly difficult, good faith security researchers will always identify themselves when they report a vulnerability. Unlike malicious actors, who will exploit vulnerabilities for their own gain, security researchers act to increase the security posture of a company and protect citizens from harm.

All companies should use security services, like penetration testing, bug bounty programs, and safe harbor, to quickly identify and triage vulnerabilities. However, security researchers all have different methods for testing and may not be able to cover all of the assets that a company owns. For example, an ethical hacker may be focused on exploiting a SQL injection in a database, he or she may miss exposed credentials on the Internet that allow access into a protected server. With the rapid pace of DevSecOps, engineers could be pushing changes a dozen times—or more—in a single day.

Revolutionary changes in the structure and pace of the Internet and the software that fuels it means that ad-hoc or occasional security testing is not enough to protect against vulnerabilities. We need the full force of security researchers, and all companies should encourage and protect their work.

Should the Supreme Court affirm van Buren’s conviction, the legal landscape will remain largely the same. Security researchers and consumers alike will face liability despite acting in good faith, and the federal government will continue to exercise broad power over trivial and ambiguous breaches of authorized computer use.

Yet the Supreme Court now has the opportunity to limit the scope of the CFAA and restrict what the federal government can prosecute. Doing so will enhance the security of the Internet, protect security researchers, and limit the legal liability of daily Internet users who clicked through terms of services without reading them.

A lot has changed since the CFAA was first enacted in 1984. While the Supreme Court’s decision could drastically change the information security landscape, it is still not enough. As we’ve seen with the Internet of Things bill that was recently passed through the House, the United States needs modern legislation to secure the rapidly changing technology of the twenty-first century.

In short, security researchers who act in good faith are exposing themselves to huge legal risk because of the broad interpretation of CFAA. This is to the detriment of anyone who values the protection of their information. We are in dire need of reform in the United States, but in the meantime, there is hope that the Supreme Court will narrow the scope of the CFAA to protect consumers and security researchers alike.

How do I select cyber insurance for my business?

There has been a 70%+ increase in the average cost of a cybercrime to an organization over five years to $13mn and a 60%+ increase in the average number of security breaches, a recent report reveals.

Losses resulting from external incidents, such as DDoS attacks or phishing and malware/ransomware campaigns, account for 85% of the value of claims, followed by malicious internal actions (9%) – which are infrequent but can be costly.

To select suitable cyber insurance for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.

Corinne Hammond, Cyber Underwriter, AXIS Insurance

select cyber insuranceCyber insurance has developed significantly over the past decade, driven by the increasing threat landscape and expanding legislation. As one of the greatest threats facing businesses today, coverage has adapted. With many options available, here are three key things to help you select the correct product:

Scope of cover

Most cyber policies cover liabilities following an incident including regulatory costs, reimbursement for business interruption, reconstitution of data and support through a ransomware incident. They can also address reputational harm, supply chains and property damage. It’s important to think about the risks specific to your business and ensure your selected product addresses those risks.

Additional support

Best in class cyber insurance will help reduce your risk and include:

  • education, tools and training for all people in an organization
  • tabletop exercises to engage key personnel and prepare for an unforeseen event
  • experienced support to assist quickly in the event of an incident, complementing internal expertise for ransomware negotiations, obtaining crypto currency or legal advice
Experience

With larger and more frequent losses it is ever more important to partner with a strong insurer with proven cyber experience, particularly in paying claims. Your broker can help you select a well-established insurer with global expertise and products to best fit your risks.

Lindsey Nelson, Cyber Development Leader, CFC Underwriting

select cyber insuranceWhen selecting affirmative cyber insurance coverage, I’d recommend that CISOs vet the insurer’s cyber claims expertise before diving into policy language.

An insurer with a well-staffed, in-house cyber incident team with ample experience dealing with cyber threats is a must as these experts bring additional skills that complement what a firm’s own IT department already does very well in the event of a cyber incident.

They will be the experts on the other end of a call who bring a well-rounded wealth of expertise from technical to legal assistance.

They will know the most about ransomware variants and ransom demands, recovery from compromised business email accounts, and privacy obligations. And this knowledge and experience from a technically led approach ultimately leads to quicker recovery and less material impact to the business.

Questions CISOs should ask include:

  • Is the insurer well established in cyber insurance?
  • Do they have global reach?
  • Do they have internal cyber claims capabilities or is everything outsourced to a third party or law firm to triage?
  • Is cryptocurrency kept on hand to ensure a timely ransom can be paid if the insured makes that decision?
  • What process does the firm have for checking sanctions to determine whether the attacker is a sanctioned entity?

Cybercrime costs the world more than $1 trillion, a 50% increase from 2018

Cybercrime costs the world economy more than $1 trillion, or just more than one percent of global GDP, which is up more than 50 percent from a 2018 study that put global losses at close to $600 billion, McAfee reveals. Beyond the global figure, the report also explored the damage reported beyond financial losses, finding 92 percent of companies felt effects beyond monetary losses. “The severity and frequency of cyberattacks on businesses continues to rise … More

The post Cybercrime costs the world more than $1 trillion, a 50% increase from 2018 appeared first on Help Net Security.

Techno-nationalism isn’t going to solve our cyber vulnerability problem

Against the backdrop of intensifying cyber conflicts and the rapidly evolving threat landscape, a new wave of techno-nationalism is being trumpeted from almost every corner of the world.

techno-nationalism

The U.K. just announced it will ban the installation of Huawei 5G gear by the end of September 2021 and the FCC rejected a petition from ZTE asking for reconsideration of their finding that the Chinese company is a national security threat to communications networks. Meanwhile, ByteDance is trying to meet the requirements of both the U.S. government and China’s new Export Control Law so that TikTok can continue to exist in the U.S.

The U.S. is also pushing to persuade countries like Brazil to shun Chinese equipment as they develop their digital infrastructures, offering financial assistance to use Washington-approved alternatives. This led to Brazil’s top four telecom companies refusing to meet with a senior U.S. official advocating for exclusion of Huawei from the Brazilian 5G market. In their home country of China, Huawei and other tech companies are grumbling about Nvidia’s acquisition of U.K. chip designer Arm (the deal is still awaiting regulatory approval).

Across the world today, people are using smartphones made in China, and have personal information scattered around various data centers in India or the Philippines, via hosted service providers and call centers. Data is now fluid, mobile and global – that genie is out of the bottle and embargos against specific companies’ or countries’ technologies will ultimately have limited impact from a security perspective.

A false sense of security

Techno-nationalism is fueled by a complex web of justified economic, political and national security concerns. Countries engaging in “protectionist” practices essentially ban or embargo specific technologies, companies, or digital platforms under the banner of national security, but we are seeing it used more often to send geopolitical messages, punish adversary countries, and/or prop up domestic industries.

Blanket bans give us a false sense of security. At the same time, when any hardware or software supplier is embedded within critical infrastructure – or on almost every citizen’s phone – we absolutely need to recognize the risk.

We need to take seriously the concern that their kit could contain backdoors that could allow that supplier to be privy to sensitive data or facilitate a broader cyberattack. Or, as is the lingering case with TikTok, the concern is whether the collection of data on U.S. citizens via an entertainment app could be forcibly seized under Chinese law and enable state-backed cyber actors to then target and track federal employees or conduct corporate espionage.

We cannot ignore that nation states around the world are increasingly turning to cyber operations to gather intelligence, wield influence, and disrupt their adversaries. But we must remember that technology made by those close to home, in proximity or ideology, does not put them out of reach of compromise or automatically make it more secure.

Digital deception and trust

Trust alone is never a sound security strategy. To echo the words of former U.S. President Reagan (who was, appropriately enough, quoting a Russian proverb): “Trust, but verify.” In cybersecurity, “verify” means not blindly trusting the technology you are leveraging, but instead taking the actions needed to monitor and audit in real-time.

Trust is a tool itself that attackers commonly employ in methods of digital deception. Indeed, spoofed login pages from reputable SaaS platforms have been used as a means of harvesting compromised credentials from unwitting victims.

Regardless of whether a cloud provider is based in the U.S., China, or elsewhere, attackers will still seek creative means to exploit both the vulnerabilities in these technologies and the ever-present threat of human error. For example, foreign actors will attempt to infiltrate the supply chains of hardware or software tools, sometimes by simply paying an insider to do the job for them.

In other words: purchasing decisions rooted in techno-nationalism, or, conversely, techno-globalism, are both essentially susceptible to the same security threats. And so, when we target a specific company or technology, rather than critically evaluate our underlying security strategy and defensive technologies, we do not actually strengthen our security posture, but instead chase a red herring.

National security is about much more than blanket bans on specific organizations and technologies. Rather, it is about cybersecurity and operations resilience against the ever-present reality of threats in cyber space—crucially, regardless of where the attacks come from or what technology attackers are targeting.

Building resilience moving forward

Nowadays, cyber-attacks are advancing at a rate that outpaces attempts to define indicators of threat in advance. The strength of any cyber-security stance accordingly lies in its ability to understand and maintain normal conditions internally, not in its attempts to predict the nature of future external threats. This truth holds regardless of whether the threat actor is motivated by financial, strategic or political concerns.

The focus on individual companies distracts from the realities of cyber-defense. Rather than decreasing or restricting the technology ecosystem, national security concerns can actually be advanced by gaining further visibility into critical digital environments. By gaining an in-depth understanding of these environments, we can manage risk in our complex landscape.

Historically, this level and scale of understanding into the ever-growing complexity of digital environments would have been at the limits of a human security team, more likely beyond. However, it is not beyond those teams leveraging AI and machine learning. These technologies excel at achieving a comprehensive and granular understanding of the behaviors and technologies that comprise a technology ecosystem.

Today’s techno-nationalism is taking off and will probably continue to do so because it is responding to real issues in a very observable way, even though it is ultimately ineffective. And so, the stakes remain high. Hidden backdoors in component parts and supply side technologies are used as an entry point for foreign malicious actors. Once attackers gain entry, economic espionage can lead to incalculable financial damage. Further, disrupted critical national infrastructure, such as power grids and gas lines, can lead to devastating costs for a nation.

The persistence of these threats calls for a practical response. Techno-nationalism, though rising in popularity, simply does not rise to the greater security challenge. Rather than blocking access to foreign technologies in a great game of whack-a-mole, national security can actually be advanced by implementing AI enabled digital understanding. The rigid scrutiny and real time attack disruption achieved by AI’s wholistic approach provides robust cyber defense across the full range of technologies that can be implemented, regardless of the attack’s origin.

ControlFlag: Machine programming research tool detects bugs in code

Intel unveiled ControlFlag – a machine programming research system that can autonomously detect errors in code. Even in its infancy, this self-supervised system shows promise as a productivity tool to assist software developers with the labor-intensive task of debugging.

ControlFlag

In preliminary tests, ControlFlag trained and learned novel defects on over 1 billion unlabeled lines of production-quality code.

ControlFlag and debugging

In a world increasingly run by software, developers continue to spend a disproportionate amount of time fixing bugs rather than coding. It’s estimated that of the $1.25 trillion that software development costs the IT industry every year, 50 percent is spent debugging code.

Debugging is expected to take an even bigger toll on developers and the industry at large. As we progress into an era of heterogenous architectures — one defined by a mix of purpose-built processors to manage the massive sea of data available today — the software required to manage these systems becomes increasingly complex, creating a higher likelihood for bugs. In addition, it is becoming difficult to find software programmers who have the expertise to correctly, efficiently and securely program across diverse hardware, which introduces another opportunity for new and harder-to-spot errors in code.

When fully realized, ControlFlag could help alleviate this challenge by automating the tedious parts of software development, such as testing, monitoring and debugging. This would not only enable developers to do their jobs more efficiently and free up more time for creativity, but it would also address one of the biggest price tags in software development today.

“We think ControlFlag is a powerful new tool that could dramatically reduce the time and money required to evaluate and debug code. According to studies, software developers spend approximately 50% of the time debugging. With ControlFlag, and systems like it, I imagine a world where programmers spend notably less time debugging and more time on what I believe human programmers do best — expressing creative, new ideas to machines,” said Justin Gottschlich, principal scientist and director/founder of Machine Programming Research at Intel Labs.

How ControlFlag works

ControlFlag’s bug detection capabilities are enabled by machine programming, a fusion of machine learning, formal methods, programming languages, compilers and computer systems.

ControlFlag specifically operates through a capability known as anomaly detection. As humans existing in the natural world, there are certain patterns we learn to consider “normal” through observation. Similarly, ControlFlag learns from verified examples to detect normal coding patterns, identifying anomalies in code that are likely to cause a bug. Moreover, ControlFlag can detect these anomalies regardless of programming language.

ControlFlag

A key benefit of ControlFlag’s unsupervised approach to pattern recognition is that it can intrinsically learn to adapt to a developer’s style. With limited inputs for the control tools that the program should be evaluating, ControlFlag can identify stylistic variations in programming language, similar to the way that readers recognize the differences between full words or using contractions in English.

The tool learns to identify and tag these stylistic choices and can customize error identification and solution recommendations based on its insights, which minimizes ControlFlag’s characterizations of code in error that may simply be a stylistic deviation between two developer teams.

Intel has even started evaluating using ControlFlag internally to identify bugs in its own software and firmware product development. It is a key element of Intel’s Rapid Analysis for Developers project, which aims to accelerate velocity by providing expert assistance.

Raising defenses against ransomware in healthcare

More than half a decade has passed since ransomware-wielding attackers started focusing on healthcare providers. Despite some initial misgivings about targeting life-saving organizations expressed by the denizens of cybercrime-oriented underground forums, the healthcare sector has, in the intervening years, become ransomware gangs’ target of choice.

defenses ransomware healthcare

Why healthcare organizations make good targets

It’s easy to see why: hospitals and other healthcare organizations need to access current information within patient records to provide care, so they are more likely to pay a ransom to avoid delays that could endanger lives. (And with the advent of COVID-19, quickly restoring systems and access to patients’ information has become even more important.)

There are, of course, other factors that play a role in the attackers’ preference for healthcare-related targets: the talent shortage for cybersecurity experts with healthcare expertise, the fact that most healthcare employees still don’t make cybersecurity a priority, the fact that many of the devices and technologies they use run on antiquated operating systems – to name just a few.

“A study done in 2020 by HIPAA Journal found 83% of IoT devices still ran legacy, unsupported operating systems such as Windows XP. This presents cyber adversaries with opportunities to exploit and compromise medical and health care organizations,” Jon DiMaggio, Chief Security Strategist at Analyst1, told Help Net Security.

But even when organizations are secure on that front, adversaries can always simply send phishing email after phishing email to healthcare employees, to steal information or deliver malware that can provide them with initial access.

There might come a time when cybersecurity becomes a (small) part of medical curriculums – in the meantime healthcare organizations can significantly lower the number of successful attacks with the proper defenses and training, DiMaggio notes.

How to make the attackers’ job difficult

Unfortunately, it often takes a major breach to occur before security is taken seriously. But with attacks against healthcare organizations constantly in the headlines, more and more organizations are working to improve their cybersecurity posture and more employees will hopefully accept the fact that they are part of their organization’s defensive line against cyber attacks.

“The reality is you cannot prevent all attacks. However, you can significantly reduce them and make the attackers’ job MUCH more difficult,” DiMaggio pointed out.

Organizations should avoid money-saving shortcuts that will provide them with a false sense of security and instead opt for adopting security best practices and defenses: restricting user access, segmenting networks, using endpoint detection and protection solutions, raising employees’ security awareness.

“Healthcare organizations must insist on vendors developing software required to function on up-to-date, supported operating systems. If an X-ray device runs on Windows XP, they should purchase them from a competitor whose equipment runs on a supported platform. Such a shift in the industry would force vendors to develop equipment based on security and not ease of access,” he noted.

Regularly hunting for cyberthreats inside the org’s systems and networks is also a good way to prevent ransomware attacks.

“Most enterprise ransomware attackers spend days and even weeks in a targeted organization’s environment. They use already present administrative and dual-use tools to ‘stage’ the environment, they enumerate devices on the network(s), escalate privileges and disable security defenses. Threat hunters can identify these malicious goings-on and foil the attack before crucial data is encrypted and held for ransom. Having trained threat hunters with the appropriate tools will increase the chances of success,” he opined.

The increased number of people working from home due to the pandemic have provided a larger attack surface for attackers, but there are some simple and cheap solutions that go a long way in protecting organizations, the end users and their data, he adds.

Two-factor authentication is one of the cheapest and efficient ways to drastically reduce risk of account theft due to phishing attacks. Regularly patching all public facing infrastructure and ensuring unnecessary ports and protocols are not left open and unsecured costs little and will make the attackers’ job more difficult.

“Make sure that administrative tools are removed and not available to users or on systems that do not require them. Almost all instances of ransomware attacks I have investigated involved the attacker using the legitimate administration tools like PowerShell, PSExec and similar,” he advised.

“Finally, if you do not need certain filetypes (e.g., .RAR, .EXE or .HLP), block them from being delivered via your email servers. These filetypes/extensions are often used by attackers to deliver malware via phishing emails. You can use these filetypes in your environment, but they don’t need to come into the environment via email.”

Sharing attack information should be customary

As ransomware gangs ramp up their targeting of all organizations, including those in the healthcare sector, and try out different approaches to get their hands on as much money as possible (e.g., combining ransom requests and blackmailing of users/patients, as in the Vastaamo attack and other attacks mounted by the Maze and Sodinokibi attackers), targeted organizations could help the rest of their industry by sharing threat information and details of the attack.

“Many groups and tools exist to share threat information. ISACs, or Information Sharing and Analysis Centers exist in almost every industry you can think of. The certainly exist for healthcare. These groups allow organizations, even direct competitors, to share details of breaches without repercussion. Sharing usually includes attack details such as threat indicators (malware hashes & samples, infrastructure, phishing attributes, etc.) with peer organizations that might be targeted by the same attackers,” Di Maggio noted, and said that organizations that fail to do that should be held accountable and fined.

“In the end, no harm is done to the sharing organization, especially when the breach is already public, but the benefits to the rest of the targeted industry can be great: peer healthcare organization could look for the activity on their network or be better prepared to identify the adversary should an attack be executed. It is a win-win scenario and is becoming a common business practice across industry verticals.”

Retail CISOs and the areas they must focus on

In this interview, Matt Cooke, cybersecurity strategist, EMEA at Proofpoint, discusses the cybersecurity challenges for retail organizations and the main areas CISOs need to focus on.

retail CISOs

Generally, are retailers paying enough attention to security hygiene?

Our research has shown that the vast majority of retailers in the UK and Europe-wide simply aren’t doing enough to protect their customers from fraudulent and malicious emails – only 11% of UK retailers have implemented the recommended and strictest level of DMARC protection, which protects them from cybercriminals spoofing their identity and decreases the risk of email fraud for customers.

Despite this low and worrying statistic, it’s promising to see that a small majority of UK retailers have at least started their DMARC journey – with 53% publishing a DMARC record in general. When we look at the top European-wide online retailers, 60% of them have published a DMARC record.

If we compare this to the largest organisations in the world (the Global 2000), only 51% of these brands have published a DMARC record. This illustrates the retail industry is slightly ahead of the curve – therefore certainly is paying attention to security hygiene – but there’s still a long way to go.

Unfortunately, starting your DMARC journey isn’t quite enough – without having the ‘reject’ policy in place cyber criminals can still pretend to be you and trick your customers.

What areas should a CISO of a retail organization be particularly worried about?

Business Email Compromise (BEC) and Email Account Compromise Attacks (EAC), are on the rise, targeting organisations in all industries globally. Dubbed cyber-security’s priciest problem, social engineering driven cyber threats such as BEC and EAC are purpose-built to impersonate someone users trust and trick them into sending money or sensitive information.

These email-based threats are a growing problem. Recent Proofpoint research has shown that since March 2020, over 7,000 CEOs or other executives have been impersonated. Overall, more money is lost to this type of attack than any other cybercriminal activity. In fact, according to the FBI, these attacks have cost organisations worldwide more than $26 billion between June 2016 and July 2019.

The retail industry has a very complex supply chain. When targeting an organisation in this sector, cyber criminals don’t only see success from tricking consumers/customers, they can also target suppliers, with attacks such as BEC, impersonating a trusted person from within the business.

We have seen cases within the retail sector where cyber criminals are compromising suppliers’ email accounts in order to hijack seemingly legitimate conversations with someone within the retail business. The aim here is to trick the retailer into paying an outstanding invoice into the wrong account – the cybercriminals’ account, as opposed to the actual supplier.

In addition, due to the pandemic, global workforces have been thrusted into remote working – and those in the retail sector are not exempt. As physical stores have closed worldwide, customer service and interaction has shifted to digital communication more so than ever. Those employees that were used to talking directly to customers, are now using online platforms and have new cloud accounts – expanding the attack surface for cybercriminals.

The retail industry – along with all other industries – need to ensure employees are adequately trained around identifying the risks that might be delivered by these different communication channels and how to securely handle customer data.

Domain spoofing and phishing continue to rise, what’s the impact for retail organizations?

Threat actors are constantly tailoring their tactics, yet email remains the cybercriminals’ attack vector of choice, both at scale and in targeted attacks, simply because it works.

Cybercriminals use phishing because it’s easy, cheap and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. As seen in recent breaches, emails sent from official addresses that use the domains of known international companies, seem trustworthy both to the receiver and spam-filters, increasing the number of potential victims. However, this has a detrimental effect on both the brands’ finances and reputation.

Organisations have a duty to deploy authentication protocols, such as DMARC to protect employees, customers, and partners from cybercriminals looking to impersonate their trusted brand and damage their reputation.

Opportunistic cyber criminals will tailor their emails to adapt to whatever is topical or newsworthy at that moment in time. For example, Black Friday-themed phishing emails often take advantage of recipients’ desire to cash in on increasingly attractive deals, creating tempting clickbait for users.

These messages may use stolen branding and tantalising subject lines to convince users to click through, at which point they are often delivered to pages filled with advertising, potential phishing sites, malicious content, or offers for counterfeit goods. As with most things, if offers appear too good to be true or cannot be verified as legitimate email marketing from known brands, recipients should avoid following links.

Do you expect technologies like AI and ML to help retailers eliminate most security risks in the near future?

Today, AI is a vital line of defence against a wide range of threats, including people-centric attacks such as phishing. Every phishing email leaves behind it a trail of data. This data can be collected and analysed by machine learning algorithms to calculate the risk of potentially harmful emails by checking for known malicious hallmarks.

While AI and ML certainly help organisations to reduce risks, they are not going to eliminate security risks on their own. Organisations need to build the right technologies and plug the right gaps from a security perspective, using AI and ML as just part of this overall solution.

Organisations should not outsource their risk management entirely to an AI engine, because AI doesn’t know your business.

There is no doubt that artificial intelligence is now a hugely important line of cyber defence. But it cannot and should not replace all previous techniques. Instead, we must add it to an increasingly sophisticated toolkit, designed to protect against rapidly evolving threats.

The CISO’s guide to rapid vendor due diligence

Vendors are at the heart of many companies’ processes and activities, and their numbers are increasing. But the process of onboarding vendors has become complicated because of concerns about cybersecurity.

CISO's guide vendor due diligence

In 2019, nearly half of companies experienced a significant data breach through a third party. To prevent such incidents, security professionals demand that vendors demonstrate and maintain a strong cyber posture.

Rapid vendor due diligence can be challenging. This guide explains how it can be done, including:

  • Determining criticality of vendors
  • Analyzing the vendor attack surface
  • Creating customized questionnaires

How do I select a pentesting solution for my business?

Given the number of vulnerabilities that have gone global in the past few years, enterprises can’t afford to keep relying on reactive security. Just hoping that an alert doesn’t go off isn’t a strategy. Instead, groups should embrace penetration testing.

For those unfamiliar with the concept, a typical pentest project consists of a pentester putting on their “evil person” hat and attacking a target, looking to infiltrate the organization in the way that a malicious party would. From there, organizations can see how much access a hacker could get, and what they could do to the environment if/when they got in.

To select a suitable pentesting solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Tonimir Kisasondi, co-founder, Apatura

select remote workforce protectionAny penetration testing is a tradeoff between scope definition, number of issues found and allocated time and budget. With that in mind, how can you get the most out of a security review?

Do not constrain the scope. Real attackers don’t care about scope. Make sure that your security reviews aren’t limited to a very narrow set of assets, and that they cover all of your assets, infrastructure, applications and even processes. A hardened operating system and services won’t do you any good if an attacker breaches that custom developed web application. Or if a technical error brings down your database and you can’t restore your backups. Make sure your security review covers all of your assets.

Consider the depth of testing that should be performed. Use the test to verify that your detection systems can detect the attacks being performed, and that you can trace any potential errors or other ways your applications broke when there were actual knowledgeable experts attacking it.

Select the right approach to a security review. While a black box testing approach may provide acceptable results, a lot of issues can be found by looking at the source code or servers running your applications. When choosing a penetration test approach, consider which type of testing may provide you with the most useful type of feedback.

Daniel Martin, Founder, Security Roots

select remote workforce protectionThere are several key questions to answer before considering a pentesting solution or partner.

  • What are your requirements?
  • Why do you need a penetration test?
  • What is the goal of the test?

If you cannot answer these questions, find external help to clarify your requirements before researching pentesting solutions or firms.

Establish your requirements and expectations. You need to know and ask for what you need help with – be it a pentest, vulnerability assessment, or security awareness training for your development team.

Examine the company background. Have they worked in your industry and research technologies relevant to your organization? Discuss their insurance coverage and legal documents upfront.

Once you’ve established requirements, ask each vendor to address them. It will help you understand their approach and understand their knowledge of the relationship between security and your business needs, including the tradeoffs involved in different assessment and remediation solutions and strategies.

Your vendor’s approach should align with your business goals. Ask for examples of similar projects they have undertaken, push for a sanitised report. The final deliverable should stand on its own, providing complete information about the project: a description of the scope, a high-level executive summary, and a detailed list of findings. It should include remediation advice and supporting information to validate the team’s work and verify mitigation after remediation.

Jim O’Gorman, Chief Content and Strategy Officer, Offensive Security

select remote workforce protectionWhen arranging a penetration test, the most important question to ask is, what do I hope to accomplish from this? Whether your goal is to find and eliminate as many issues as possible in the shortest amount of time, meet a compliance mandate, simulate the actions of a malicious party that has targeted your organization to discover the “worst case scenario,” etc., communication with your service provider is essential.

Many of these goals will make some of the other goals not possible, so it’s important you pick your primary goal and focus on that. Clearly communicate what you need to the service provider and ask them what they can do to help you obtain that goal. If they have a single cookie-cutter approach to assessments that does not match up to your goal, they are not the provider for you.

Many customers start confused about what they want to accomplish – and they end up with whatever the service provider feels like giving them. Only you know what your organization needs, and it’s up to you to communicate them clearly and from the start.

Josh Wyatt, VP, Security Services, Rapid7

select remote workforce protectionFirst things first, it is important to understand your business and your business risk. Working with advisory services can help identify the risks that your organization should address, and this risk assessment will help not only help identify what needs to be tested but also what needs to be prioritized.

Then, a plan of action can be designed, and this plan will have the organization’s assets and the penetration testing services that align with them. It is important to also know what is covered in the pentest solution and what is not. It is also important to understand how to take the pentest results and implement them across the entire organization.

Since penetration tests are limited in scope and time, they often do not identify all instances of vulnerabilities. So, the findings should be not only remediated, themselves, but they should be used as templates and hints to search for other instances where the vulnerability could manifest itself. Penetration testers do not work in a vacuum — the organization should be prepared to take an active role in its own security.