STE WILLIAMS

Persistent Threats Can Last Inside SMB Networks for Years

The average dwell time for riskware can be as much as 869 days.

Dwell time — the amount of time a threat spends inside of a network before an organization discovers and removes it — has become a significant problem for small and midsize businesses (SMBs), according to a report released today by Infocyte.

The report, based on more than 339,000 accounts and behavioral logs for malicious activity, focuses on companies that have between 99 and 5,000 employees and annual revenue of up to $1 billion.

Dwell time for attacks with ransomware averaged 43 days, the report points out. On the other hand, average dwell time for all other persistent threats (non-ransomware) averaged 798 days, while dwell time for riskware – defined as unwanted applications, Web trackers, and adware – averaged a whopping 869 days.

According to Chris Gerritz, co-founder and chief product officer at Infocyte, 72% of SMBs had riskware and unwanted applications in their networks that took longer than 90 days to remove. While they were generally lower risk issues, the bigger takeaway is networks that fail to control riskware typically have a lower readiness to respond to high-priority threats when they are uncovered.

“We found that 60% of malware is identified by [antivirus] vendors using a generic signature – it doesn’t specify what the issue is – so that’s also why SMBs can’t always understand the difference between high-priority and low-priority risks,” Gerritz says.

The Infocyte report also explains why the dwell times of some of the persistent threats and riskware are well more than two years. For example, some of the active infections residing on the inspected systems are configured to sinkholed domains and pose no immediate threat, it says.

That said, one family of infections that researchers found traced back as long as a decade ago. While they didn’t pose a threat after a series of botnet operators were arrested in subsequent years, “it’s still surprising to find the malware still active on what appear to be protected endpoints so many years later,” Gerritz says.

If continuous monitoring is not an option, Gerritz recommends that SMBs once a year bring in a third party to perform a “compromise assessment” at the same time they conduct a vulnerability assessment and pen tests.

“If companies can’t afford threat analysis, they should at least get these tests done once a year,” he says, so security pros can check for active malware with long dwell times that may have been sitting active in the network for many years.

Aaron Sherrill, a senior analyst at 451 Research, says Infocyte’s research brings to light how most small companies lack standard security controls.

“They may not have updated technology, the signatures are not updated, the alerts and events are often ignored, or maybe they just don’t have the bandwidth to do it all,” Sherrill says. If companies can afford them, compromise assessments should be more than once-a-year events.

“Too often companies do these assessments as a checkbox item and they forget about it,” Sherrill says. “Many of these threats are very sophisticated and are engineered not to be detected. Companies are at risk every minute of every day. What they really need is to have their networks continuously monitored.”

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/persistent-threats-can-last-inside-smb-networks-for-years/d/d-id/1335207?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Sea Turtle hackers head to the Mediterranean, snag Greece’s TLD registrar as a souvenir

Miscreants notorious for hijacking traffic to victims’ servers by changing their DNS records have been accused of hacking a top domain-name registrar in Greece.

The team at Cisco Talos believes the Sea Turtle group was responsible for an April cyber-break-in at ICS-Forth, the company that manages the .gr top-level domain for Greece. The hackers maintained access for a period of at least five days.

“Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an operational command and control (C2) node,” Talos researcher Paul Rascagneres explained earlier this week.

“Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24, five days after the statement [that ICS-Forth had been hacked] was publicly released.

“Upon analysis of this operational C2 node, we determined that it was also used to access an organization in Syria that was previously redirected using the actor-controlled name server ns1[.]intersecdns[.]com. This indicates that the same threat actors were behind both operations.”

Getting into a domain registrar would be a big win for Sea Turtle, as the group’s favored hacking technique involves hijacking the DNS entries for their targets’ domain names and subdomains to redirect people’s connections to hacker-controlled servers. Users think they are connecting to the under-attack organization’s servers as normal, but are instead connecting to Sea Turtle’s systems, that masquerade as legit sites, and handing over their login credentials to scumbags.

Indeed, the Talos team reports that shortly after the ICS-Forth intrusion took place, two Greek government organizations fell victim to DNS hijackings.

The attacks would have occurred at roughly the same time Cisco Talos was introducing the world to Sea Turtle and its methods for hacking government and corporate networks without ever having to target their servers or network appliances. While the group was initially focused on the North Africa and Middle East regions, since April the operation has expanded not only to Greece, but also to targets in Switzerland, Sweden, and the US.

The groups in Sea Turtle’s crosshairs had mostly been government organizations, political think tanks, and international NGOs, though the Talos team notes that some energy companies and at least one airport were also targeted.

Talos recommends that companies worried about attacks add multi-factor authentication to their registrar accounts, to prevent crooks socially engineering their way into domain settings, and implement DNSSEC. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/11/sea_turtle_greece_tld/

“Mozilla aren’t villains after all” – ISPs back down after public outcry

A few short days ago, we wrote up the news that Mozilla was up for an internet award

…for cybervillainy!

We didn’t see that one coming, but it’s no lie: the UK Internet Service Providers Association (ISPA) shortlisted Mozilla for the dishonourable title of 2019 Internet Villain.

The other two entries on the villains’ list were US President DJ Trump, and the Article 13 Copyright Directive.

But why finger Mozilla, of all internet organisations, as a bunch of cyber-rogues?

Was it because Mozilla takes money from a well-known, wealthy and powerful search engine and online advertising company to help bankroll its own browser?

Was it Mozilla’s acquisition of Pocket, after which the organisation assured us it wasn’t “adding ads” but instead providing “sponsored content”?

Neither of these, apparently.

Seems it was all down to Mozilla’s enthusiastic adoption of a system called DNS-over-HTTPS.

DNS, as you probably know, is the global service that converts names like example.com into network numbers like 203.0.113.42, and HTTPS is the protocol that puts the padlock in your browser’s address bar.

Put them together and you have DNS-over-HTTPS: it’s a way of encrypting and authenticating your network lookups while you’re online.

Instead of everyone in the coffeeshop being able to sniff out the names of the online services you’re interested in, and perhaps also modifying the DNS results on the way back to misdirect you into harm’s way…

…your DNS list of “sites of interest” remains private, which in turns keeps you more secure against snooping, surveillance and sneaky substiutions.

In other words, DNS-over-HTTPS offers improved privacy, better resistance to unauthorised surveillance, and safer browsing.

If I unlawfully sniff out your DNS traffic so I know where you went, I’m violating your privacy. Merely by knowing where you surfed, without getting any details of what you actually surfed, I can infer an awful lot about you. I can probably piece together your daily routine, both at work and at home; figure out your likes and fears; learn which companies you do business with; guess which bank you use, the shops you frequent, the clubs you belong to, the hobbies you enjoy, the medical surgery you’re registered with, the sports teams you support, and much more.

Surely some mistake?

My immediate personal reaction to this “Villainy Award” nomination was to jump to the conclusion that Mozilla had accidentally ended up on the wrong list.

Surely, I thought, Mozilla should be in there with the 2019 Internet Heros nominees, which included Sir Tim Berners Lee, praised for his effort to “to rebuild trust and protect the open and free nature of the internet”?

As I wrote earlier this week:

In a world with GDPR – a regulation that was inspired in great part by the clear and present danger of over-aggressive data collection followed by poor data protection – then the encryption and authentication of DNS traffic is more important than ever.

It’s bizarre to recommend that people use secure browsers and check for the HTTPS padlock while at the same time demanding that they navigate around the internet in a way that is wide open to snooping and deliberate misdirection.

Having a secure browser with insecure DNS is like locking the cockpit door to protect aeroplane pilots during flight, but choosing a random passenger do the pre-flight clearance with air traffic control and insisting that the pilots trust the results.

I may have mixed my metaphors a bit there, but the ISPA’s announcement was bizarre enough to be baffling, and that’s my excuse – my mind was boggled.

OK, so there are various technical reasons why you might be against DNS-over-HTTPS, or at least why you might want to tackle DNS encryption in a different way.

For example, there are long-standing, lower-level protocols that already exist for securing DNS, so maybe we should finally be trying to make one of the existing alternatives stick instead.

But the ISPA’s reason for considering Mozilla villainous seems to have boiled down almost entirely to one issue: encrypting DNS queries at all.

Mozilla would suddenly make the internet too secure! Too private! Too safe! Too well-protected from busybodies, snoops and crooks!

Horror of horrors!

British ISPs would no longer be able to collect and collate innocent users’ high-level internet browsing habits themselves just in case the data ever came in handy for busting ACTUAL CROOKS!

Danger, Will Robinson!

Aluta continua

Well, it seems that the voice of the people – a global outpouring of internet bafflement similar to my own comment above – has finally won the day.

The ISPA has now officially and publicly backed down and taken Mozilla off the Internet Villainy shortlist.

Sure, the ISPA’s statement isn’t an apology; the announcement includes a strongly-worded caveat running to six numbered points; and it all ends with the sanctimonious-sounding declaration that “there are numerous other areas that we could go into”…

…but, mercifully, they don’t.

The de-nomination also tries to persuade us all that “the villain category is intended to draw attention to an important issue in a light-hearted manner, but this year has clearly sent the wrong message.”

Clearly.

That’s all I’m saying.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/L7cNuzhk__E/

Remember Stuxnet? You’ll endure its hated-by-critics sequel if you don’t patch your holey Siemens industrial kit

Industrial control software vulnerabilities, which would be perfect for next-gen Stuxnet-style worms to exploit, are as prevalent as ever, apparently.

A report out this week from Tenable outlined a series of CVE-listed security holes in the products of four of the largest industrial control system (ICS) makers, including Siemens, whose controllers at Iranian nuclear enrichment plants were the primary target of Stuxnet.

Developed chiefly by America and Israel, Stuxnet worked by infecting Windows PCs and searching networks for computers connected to particular Siemens industrial controllers – those seemingly configured to regulate the rotor speed of gas centrifuges used by Iran – and then reprogrammed the controllers [PDF] to stealthily wreck the sensitive high-speed enrichment equipment. Specifically, Stuxnet exploited three holes in Microsoft Windows and one in Siemens’s Windows-based SIMATIC software to commandeer gear in Iran’s nuclear program.

It is therefore feared future strains of Stuxnet-like nasties, developed by any competent hacking operation, could potentially seize upon similar flaws still present in systems controlling important machinery and cause rather unpleasant damage.

Critical

For this latest research, Tenable engineer Joseph Bingham said he and his team examined four ICS vendors’ products over a period of nine months going back to September of last year, and found a total of 17 security flaws, all but three considered to be critical. The probed equipment is used to monitor and direct all sorts of vital gear, like power station systems, factory lines, and other bits of infrastructure. It’s the sort of stuff you don’t want to be reprogrammed or manipulated unexpectedly from afar by miscreants.

Among those discovered holes was CVE-2019-10915, a critical bug in TIA portal, the web application Siemens provides to allow administrators to remotely send commands to installed industrial controllers. An attacker on the network can completely bypass authentication checks and fire off arbitrary commands to hijack equipment without any password needed – obviously not something you want for a critical industrial management appliance.

“An attacker can bypass HTTP authentication and access all administrator functionality by directly sending WebSocket commands to the server,” Bingham explained.

“A remote attacker is able to force a malicious firmware update from an arbitrary server (resulting in remote code execution), modify user permissions, or change application proxy settings.”

ics

Just a reminder: We’re still bad at securing industrial controllers

READ MORE

Siemens has since issued a patch, and admins are advised to test and install the fix as soon as possible.

Though it was the most recent, the Siemens bug was far from the only critical flaw the Tenable researchers discovered. Industrial control appliances from Fuji Electric (in the Tellus V-Server), Schneider Electric (InduSoft Web Studio and Modicon PLC), and Rockwell Automation (RSLinx) were also found to contain flaws ranging from medium to critical severity.

Overall, the research paints a less than encouraging picture of the progress that the ICS and security communities have made in the nine-plus years since word first broke of Stuxnet and its exploits in sabotaging Iran’s uranium centrifuges. On the other hand, software will always have bugs, and this is all software controlled, so try not to panic.

“Stuxnet only needed three new vulnerabilities to spread through an isolated network and damage centrifuges in the targeted Iranian nuclear facility,” Bingham noted. “Any of the vulnerabilities… could have been discovered by a threat actor and used as a key component in a targeted attack to disrupt or damage industrial hardware.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/10/siemens_controllers_flaw/

AMD’s SEV tech that protects cloud VMs from rogue servers may as well stand for… Still Extremely Vulnerable

Five boffins from four US universities have explored AMD’s Secure Encrypted Virtualization (SEV) technology – and found its defenses can be, in certain circumstances, bypassed with a bit of effort.

In a paper [PDF] presented Tuesday at the ACM Asia Conference on Computer and Communications Security in Auckland, New Zealand, computer scientists Jan Werner (UNC Chapel Hill), Joshua Mason (University of Illinois), Manos Antonakakis (Georgia Tech), Michalis Polychronakis (Stony Brook University), and Fabian Monrose (UNC Chapel Hill) detail two novel attacks that can undo the privacy of protected processor enclaves.

The paper, “The SEVerESt Of Them All: Inference Attacks Against Secure Virtual Enclaves,” describes techniques that can be exploited by rogue cloud server administrators, or hypervisors hijacked by hackers, to figure out what applications are running within an SEV-protected guest virtual machine, even when its RAM is encrypted, and also extract or even inject data within those VMs.

This is possible, we’re told, by monitoring, and altering if necessary, the contents of the general-purpose registers of the SEV guest’s CPU cores, gradually revealing or messing with whatever workload the guest may be executing. The hypervisor can access the registers, which typically hold temporary variables of whatever software is running, by briefly pausing the guest and inspecting its saved state. Efforts by AMD to prevent this from happening, by hiding the context of a virtual machine while the hypervisor is active, can also, it is claimed, be potentially thwarted.

SEV is supposed to safeguard sensitive workloads, running in guest virtual machines, from the prying eyes and fingers of malware and rogue insiders on host servers, typically machines located off-premises or in the public cloud.

The techniques, specifically, undermine the data confidentiality model of guest virtual machines by enabling miscreants to “recover data transferred over TLS connections within the encrypted guest, retrieve the contents of sensitive data as it is being read from disk by the guest, and inject arbitrary data within the guest,” according to the study.

As a result, the paper calls into question the confidentiality promises of cloud service providers. Pulling off these techniques, in our view, is non-trivial, so if anyone does fancy exploiting these weaknesses in SEV in real-world scenarios, they’ll need to be determined and suitably resourced.

In 2016, AMD introduced two memory encryption capabilities to protect sensitive data in multi-tenant environments, Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). The former protects memory against physical attacks like cold boot and direct memory access attacks. The latter mixes memory encryption and virtualization, allowing each virtual machine to be protected from other virtual machines and underlying hypervisors and their admins.

AMD underwater

Epyc crypto flaw? AMD emits firmware fix for server processors after Googler smashes RAM encryption algorithms

READ MORE

Other vendors have their own secure enclave systems, like Intel SGX, which offers a different set of potential attack paths.

SEV, says AMD, protects customers’ guest VMs from one another, and from software running on the underlying host and its administrators. Whatever happens in these virtual machines should be off limits to other customers as well as the host machine’s operating system, hypervisor, and admins. However, the researchers have demonstrated that this threat model fails to ward off register inference attacks and structural inference attacks by malicious hypervisors.

“By passively observing changes in the registers, an adversary can recover critical information about activities in the encrypted guest,” the researchers explain in their paper.

A variant technique even works against Secure Encrypted Virtualization Encrypted State (SEV-ES), an extended memory protection technique that not only encrypts RAM but encrypts the guest’s virtual machine control block: this is an area of memory that stores a virtual machine’s CPU register contents when it is forced to yield to the hypervisor. This encryption should thus stop the hypervisor from making any sense of the paused VM’s context, though its contents can still be inferred, we’re told.

“We show how one can use data provided by the Instruction Based Sampling (IBS) subsystem (e.g. to learn whether an executed instruction was a branch, load, or store) to identify the applications running within the VM,” the paper says. “Intuitively, one can collect performance data from the virtual machine and match the observed behavior to known signatures of running applications.”

To conduct their work, the boffins used a Silicon Mechanics aNU-12-304 server with dual AMD Epyc 7301 processors and 256GB of RAM, running Ubuntu 16.04 and a custom 64-bit Linux kernel v4.15. Guest VMs received a single vCPU with 2GB of RAM, running Ubuntu 16.04 with the same kernel as the host.

While the security implications of accessing encrypted data and injecting arbitrary data are obvious, even exposing what applications are running in a guest VM has potentially undesirable consequences. Service providers could use the technique for application fingerprinting and banning unwanted software; malicious individuals could conduct reconnaissance to target exploits, to developing return-oriented programming (ROP) attacks or to undermine Address Space Layout Randomization (ASLR) defenses.

The researchers recommend the IBS subsystem be changed so that guest readings are discarded when secure encrypted virtualization is enabled.

The Register asked AMD for comment, and we’ve not heard back. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/10/amd_secure_enclave_vulnerability/

New Ransomware Targets QNAP’s Network-Attached Storage Devices

More than 19,000 systems in the US are potentially at risk from eCh0raix.

Researchers at Anomali have spotted a new ransomware strain that is targeting users of QNAP Systems’ network-attached storage (NAS) devices.

The operators of the malware appear to be gaining access to the devices either by brute-forcing weak credentials or by exploiting known vulnerabilities in them. However, the exact infection vector remains unclear for the moment, the security vendor said in an advisory released Wednesday.

The ransomware, dubbed eCh0raix, seems designed for targeted attacks and not just for mass distribution. Hard-coded encryption keys in some samples of the malware that Anomali analyzed appeared to have unique decryption keys associated with them, meaning the same decryptor would not work for all victims.

Taiwan-based QNAP is a relatively major player in the NAS market worldwide.

“We have seen a fully ‘offline’ version and a version that reaches out to the C2 server to fetch the bitcoin wallet and public key before it starts,” says Joakim Kennedy, threat intelligence manager at Anomali.

The online version alerts its command-and-control server when it starts and finishes encrypting files on an infected device. However, the information that is sent back to the C2 server does not contain any tracking data that would reveal the identity of the victim to the attacker.

The offline version, on the other hand, has the encryption information embedded in the malware and seems compiled for specific targets. The hard-coded public key in these samples is used to encrypt the AES key that encrypts and decrypts the files, Kennedy says.

eCh0raix is the latest example of ransomware being used in targeted attacks. Numerous security vendors have reported a substantial decline in general ransomware activity in the last few months. However, at the same time, there has been a sharp increase in attacks targeting enterprise organizations.

In its “2019 Internet Security Threat Report,” Symantec noted ransomware infections on endpoints dropping by 20% in 2018 compared with the year before — the first drop in volume since 2013. Significantly, though, 81% of all ransomware infections last year involved enterprises — a sharp reversal from a few years ago when consumers were the primary targets.

Poorly Protected Systems
With eCh0raix, the threat actor behind it is targeting QNAP NAS devices that people use for backups and file storage purposes. Such devices typically do not run antivirus or anti-malware products, which means eCH0raix is able to run on them with little risk of being detected. The samples that Anomali analyzed were detected by just two or three anti-malware tools on VirusTotal, Anomali said.

It’s unclear if the operators of eCh0raix are targeting older QNAP devices or more recent ones, but it is likely they are scanning the Internet for accessible devices. Based on Anomali’s own Internet-wide scans, there appears to be currently over 19,000 publicly facing QNAP devices in the US. It’s unclear how many of these devices are deployed in enterprise organizations, Kennedy says.

What makes the malware interesting is that it is targeting NAS devices, Kennedy notes. Besides having relatively little protection, such devices are usually used to store important files and backups especially in enterprise settings. Therefore, NAS devices present a potentially lucrative target for ransomware authors, he says. 

Some victims of the malware have reported seeing a high number of failed login attempts just before being infected, suggesting a brute-force credential attack. Others have reported their systems as not being fully patched, suggesting the attackers may be exploiting vulnerabilities on QNAP NAS devices.

From a technical standpoint, eCh0raix is a fairly basic ransomware tool written in the Go programming language. Before the malware executes, it kills off several processes on the infected machine and looks for certain files to avoid, such as /boot/, /proc/, /sys/, /run/, and /dev/, Anomali said. It then looks for and encrypts all data, image, media, and memory dump-related files on the system.

The malware is another reminder for enterprises to lock down all their Internet-facing assets, Kennedy says. “Organizations should perform asset management and ensure that only necessary devices are publicly facing,” he says. “Strong login credentials should be used and systems should be kept updated with the latest patches to ensure that exploitation is less likely.”

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-ransomware-targets-qnaps-network-attached-storage-devices/d/d-id/1335210?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Financial Firms Face Threats from Employee Mobile Devices

A new report says that phishing and man-in-the-middle attacks are major risks to financial institutions – via mobile devices in the hands of their employees.

Financial services is a highly regulated industry, but that doesn’t mean it’s immune to cybersecurity woes. According to a new report, financial services organizations experience higher rates of phishing and man-in-the-middle (MiTM) attacks via mobile devices than other industries, and technology trends are making the issues even more complex.

The financial services mobile security report, published by Wandera, draws on data from 4.7 million events across 225 financial services customers. Wandera compares incidents such as phishing attacks (57% of organizations in financial services have seen these, compared to 42% across all industries) and MiTM attacks (36% in financial services compared to 24% all industries) involving mobile devices.

The specifics of the threats come in the context of rising overall threats. In the UK alone, the number of breaches in the financial services industry increased by 480% from 2017 through 2018.

One of the important findings in the report, according to Michael Covington, vice-president od product strategy at Wandera, is what is not a major issue: “I think a lot of people, when they think of threats on mobile, they think of malware, and it just isn’t there,” he says. “I think it’s largely because the mobile devices themselves are fairly well-built.”

Instead of malware, criminals are using phishing attacks to gain access to financial services networks, but not just any attacks. “We’re seeing more targeted attacks within financial services instead of kind of the scattershot approach where you send out a phishing attack to everybody in the organization,” he explains.

The success of phishing attacks on mobile devices in financial services may be part of a larger pattern of risky mobile behavior by those in the industry. According to the report, 42% of the organizations represented had devices with “side-loaded” apps — apps downloaded and installed from sites other than the app stores approved for the device. Covington says, “You start to see the implications of letting employees manage their own device.”

And those employees are managing their devices in tremendous numbers, he says. Employee-owned devices, used to conduct company business, are targets because of the sensitive data they contain.

“There’s no doubt in my mind that the criminal side of the equation is after rich data,” he says. And the availability of rich data goes beyond the data just on the mobile devices since their users have access to enterprise applications and databases. “That’s also why phishing attacks are specifically on the rise within financial services organizations because it’s the credentials that the attacker can get,” Covington says. “Those provide them access to the data repositories in the cloud or in the data center.”

Protecting your organization from employee mobile devices comes down to  better managing mobile devices. “They need to be making sure that when a user logs into a service that it is indeed that user. And they need to look at the devices that those users are coming from,” he says. “Sometimes it’s going to matter to an organization if it’s a sanctioned device. Other times it won’t.”

Ultimately, though, it comes down to only giving verified and authorized users access to corporate resources from their mobile devices, and only if those devices are trustworthy, he says.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/financial-firms-face-threats-from-employee-mobile-devices/d/d-id/1335211?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Industry Insight: Checking Up on Healthcare Security

Modern threats putting healthcare organization at risk, how they’re improving their security posture, and where many fall short.

At a time when organizations across all industries fear data breaches and cyberattacks, those in healthcare have greater reason to be on edge. Troves of sensitive health data, a wealth of connected medical devices, and poor risk management practices make healthcare a hot target.

Between 2009 and 2018, there have been 2,546 healthcare data breaches involving more than 500 records, HIPAA Journal reports. These incidents have led to the exposure of 189,945,874 healthcare records. While 2015 has been the worst year on record, with some 113.3 million records exposed, there has been a general upward trend in the amount of compromised data.

For cybercriminals, health data is far more valuable than other types of information they sell for profit. A protected health information (PHI) record, for example, is worth 100 times as much as a credit card number on the Dark Web, Bugcrowd states in its recently published “State of Healthcare Security 2019” report. More than half of healthcare organizations lack strong confidence in medical device security.

Organizations that handle PHI must have physical, network, and operational security measures to ensure HIPAA compliance. Checking the boxes isn’t easy: Despite standards like ISO/IEC 800001 and the NIST Cybersecurity Framework pushing to change healthcare tech, the industry’s increasing digitization is putting sensitive data at risk.

“The big issue is the widespread use of medical devices and IoT devices connected through the Internet,” says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, which published “The Economic Impact of Third-Party Risk Management in Healthcare” on behalf of Censinet. Large healthcare organizations like the Cleveland Clinic are taking this seriously and investing more resources into securing their devices; however, smaller institutions typically can’t afford to do the same.

Cloud adoption is another barrier in healthcare. “For a long time, healthcare organizations have been laggards in terms of deployment to the cloud,” Ponemon explains, as many feared data would fall into the wrong hands. While more have realized the cloud can strengthen security, bringing applications to the cloud requires a formal process to reduce the risk of migration.

“Most organizations don’t have the resources or internal knowledge to do that very well,” he adds. “It’s creating a lot of internal risk during these transitions.” Researchers found 72% of 554 healthcare IT and security pros say increasing reliance on third-party connected medical devices is risky, and 68% say moving to the cloud while connecting these devices creates significant risk.

Risk management was the crux of the Ponemon Institute’s research, which specifically digs into how partnerships with third-party organizations are a growing threat to healthcare data. Third-party vendor incidents cost the industry $23.7 billion annually, they report.

Partnerships Come at a Price
Each data breach costs healthcare providers $2.9 million, Ponemon researchers found, which is far less than the $3.8 million in hidden costs related to managing vendor risk. In the last two years, 56% of healthcare firms have suffered a breach introduced by one or more vendors.

A recent example was reported this week: The Nemadji Research Corp., which contracts with the L.A. County Department of Health Services, was hit with a phishing attack that allowed external actors to access medical information belonging to 14,591 patients. Data included names, addresses, birth dates, medical record numbers, and Medi-Cal identification numbers.

“A constant finding was that most organizations have a really hard time managing vendors or just in general, third-party relationships,” says Ponemon. Eighty percent say prioritizing vendor risk is very important, but only 36% say it’s very effective. More than half (52%) allocate an average of 17% of their budget to vendor risk management. The average organization has 3.21 full-time staffers spending 500+ hours each month on vendor risk assessment, they report.

All respondents in the survey had a vendor risk assessment program in place; however, these had security gaps. Researchers found vendor risk management controls and practices are only partially deployed or not deployed at all. When assessments are conducted, 60% don’t find the information valuable and many don’t act on it: only one-third of respondents would mitigate security gaps, and 28% would terminate a relationship with a vendor that didn’t meet standards.

“The whole idea of an assessment is to recognize the negative and positive things vendors are doing, and doing [this] in a way that helps change the organization’s process when they identify a practice that is unacceptable or doesn’t meet the control standard,” Ponemon says.

Catching and Squashing Healthcare Bugs
Nearly all medical devices are, in some way, connected to the Internet, the Bugcrowd report says. It’s one of many factors healthcare cybersecurity teams are worried about, along with a rise in mobile digital health applications and electronic patient records moving to the cloud.

From 2017 to 2018, researchers saw 340.6% growth in vulnerability submissions for healthcare organizations. Bugcrowd chief security officer David Baker partly attributes this to rapid adoption of crowdsourced security. “The speed at which healthcare is adopting crowdsourced security [is] much faster than I’ve seen them adopt other security solutions,” he says. While medical devices aren’t yet included in bug bounty programs, websites, and mobile apps are.

Most organizations are concerned about the loss of PHI, and the loss of personally identifiable information (PII) that correlates with the PHI, Baker says. More health companies are connecting APIs into health applications, which collect patient data to send to physicians. The loss of PHI is “pretty catastrophic,” he adds, citing the penalties and fines associated with it.

Nearly 75% of healthcare program submissions involve website targets, Baker says, a large majority compared with IoT (4.8%), Android (3.6%), and API (3%). About 42% fell in the P3-level criticality, 12.2% were classified P1 (highest severity), and 11.3% classified P5 (lowest severity).

P3 vulnerabilities are considered to be medium severity, he explains. They don’t necessarily relate to PHI or PII disclosure, but they relate to details of the app itself. These bugs might involve cross-site scripting or request forgery; they’re often found in Web-facing technologies. When multiple P3s are chained together, it can lead to potentially severe consequences.

While the trend of crowdsourced security indicates healthcare organizations have security, Baker says they also need to strengthen their ability to address the vulnerabilities they find.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/industry-insight-checking-up-on-healthcare-security/d/d-id/1335212?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

UK watchdog fined firms £3m for data breaches last year – before its GDPR balls dropped

The Information Commissioner’s Office issued £3m worth of fines for data breaches in the year to April 2018 – a mere fraction of its recent proposed GDPR-enabled penalties on British Airways and Marriott.

Man opens hotel room with key card

Marriott’s got 99 million problems and the ICO’s one: Starwood hack mega-fine looms over

READ MORE

The UK data watchdog’s annual report for 2018/19 (PDF) reveals that it imposed a financial slap on the wrist on 22 occasions.

That includes the £500,000 fine against Equifax for its security debacle affecting the personal data of up to 15 million UK residents, and the same amount against Facebook over its data-harvesting scandal that affected an estimated 87 million users.

Under the UK’s Data Protection Act, the maximum fine was £500,000. But since the EU’s GDPR came into force on 25 May last year, companies are now liable to a penalty of up to 4 per cent of turnover.

Just this week, the ICO flexed its GDPR enforcement muscles for the first time. British Airways is facing a record fine of £183m for last year’s data leakage (1.5 per cent of its turnover), and yesterday it was revealed that hotel chain Marriott could be stung for £99m (3 per cent).

Although GDPR powers were in place during 2018/19, an ICO spokesman said none were used in that period due to the time it takes to investigate breaches.

BA photo by Artyom Anikeev via Shutterstock

UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

READ MORE

Though last year’s fine might seem small, they are an increase on 2017/18, when the ICO issued just 11 fines totalling £1.3m.

During 2018/19, the ICO also issued 23 monetary punishments under the Privacy and Electronic Communications Regulation, for nuisance calls, totalling over £2m.

In a foreword to its annual report, Information Commissioner Elizabeth Denham said: “The ICO has covered an enormous amount of ground over the last year – from the introduction of a new data protection law, to our calls to change the freedom of information law, from record-setting fines to a record number of people raising data protection concerns.

“The biggest moment of the year was the General Data Protection Regulation (GDPR) coming into force. This saw people wake up to the potential of their personal data, leading to greater awareness of the role of the regulator when their data rights aren’t being respected. The doubling of concerns raised with our office reflects that.”

Other large fines included a £385,000 against Uber, relating to a security incident affecting the personal data of 2.7 million users and 82,000 drivers, and a £325,000 fine against the Crown Prosecution Service for losing unencrypted DVDs containing recordings of police interviews.

It also slapped Yahoo! UK Services Ltd with a £250,000 penalty relating to a breach affecting the data of approximately 500 million users worldwide. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/10/ico_fined_businesses_3m_last_year/

10 Ways to Keep a Rogue RasPi From Wrecking Your Network

A Raspberry Pi attached to the network at NASA JPL became the doorway for a massive intrusion and subsequent data loss. Here’s how to keep the same thing from happening to your network.PreviousNext

Since 2011, engineers, students, and hobbyists have been using a small Linux server called the Raspberry Pi (or RasPi, for short). Many of these servers, roughly the size of a deck of playing cards, are in workshops and classrooms, but their capabilities have made them popular with corporate engineers and scientists looking to solve specific problems on a small budget.

But with that popularity has come the inevitability of RasPis being attached to corporate networks, with results that can be, well, problematic. For example, a report issued last month by NASA’s Inspector General on security at its Jet Propulsion Laboratory (JPL) cites a serious intrusion into the network — one that began in a vulnerable RasPi attached to the network without the approval or knowledge of the IT team.

There are now a dozen different RasPi versions, including the new Raspberry Pi 4, which includes models with up to 4 gigabytes of RAM and a powerful ARM processor. Even with the new specifications, RasPis start at $5 and top out at $55 per system.

If history is any indication, more individuals will decide they can solve problems without bothering with enterprise requisitions or approvals. So how can an enterprise security team protect the corporate network from these “rogue” RasPis? 

We’ve collected 10 possibilities to get you started, five aimed at applying protection to the network and five aimed at making the RasPi itself less vulnerable to intrusion. Implementing any one will make your network safer. Implementing all should go a long way toward ensuring that RasPis are good, safe, citizens on your enterprise network.

(Image: goodcatfelix VIA Adobe Stock)

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full BioPreviousNext

Article source: https://www.darkreading.com/iot/10-ways-to-keep-a-rogue-raspi-from-wrecking-your-network/d/d-id/1335146?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple