STE WILLIAMS

Healthcare organizations often overlook the part of their operations where they are most vulnerable. Supply chain attacks pose a greater threat than exposed medical devices, report researchers who have analyzed the industry’s risk since WannaCry hit in May 2017.

WannaCry may not have been built to target healthcare but the massive ransomware operation still left its mark on the industry, blocking National Health Service (NHS) trust hospitals from accessing patient records and forcing doctors to reschedule appointments and surgeries.

The profound effect on the healthcare industry prompted researchers at Trend Micro and the Healthcare Information Trust Alliance (HITRUST) to investigate healthcare network risks flying under the radar. They specifically looked into how supply chain cyberthreats, and exposed connected medical systems and devices, affected organizations’ security posture.

Connected medical devices demand scrutiny as cybercriminals can take advantage of their exposure to break into organizations, run botnets, take data, or launch ransomware attacks.

“There’s definitely more devices now, and wider exposure brings a greater landscape, greater aperture for attack,” says Greg Young, vice president of cybersecurity at Trend Micro. Confidentiality, integrity, and availability are always considered in device security but with healthcare devices, safety must be considered as well, he adds. It’s not a stretch to recognize an IoT attack on medical devices could cause physical harm to patients.

Diagnosing Supply Chain Threats

Industries like telecom, financial services, and consumer technology know all too well the risk of supply chain attacks. As healthcare relies more heavily on supply chain vendors, third-party service providers, and cloud-based systems, its organizations are also recognizing the risk.

Attackers can abuse third-party goods and services to steal confidential information, change data, install malicious software, introduce an unapproved function or design, or bring counterfeit devices into the organization. The risk of supply chain attacks in healthcare has grown along with the number of devices as attackers see an opportunity to manipulate them.

Researchers highlight several entry points an attacker can use to compromise a hospital’s supply chain. A key one is the device manufacturer; a hospital has no control over whether a device is tampered with during the manufacturing process. They also lack insight into the security of distribution centers, suppliers, software developers, and shipping companies.

“Globally, supply chain and counterfeit devices are an increased risk,” says Young. Older, harder-to-patch devices, many of which aren’t subject to protective inspections like a regular operating system, are a “stepping stone” into the rest of the IT environment.

The industry has started to buckle down on device security to prevent certain types of supply chain attacks. For example, the FDA now mandates Unique Device Identification codes for all medical devices. This code indicates a device’s version, model, manufacturing date and batch number, expiration date, and serial number. All this data is entered in a global, publicly accessible database so patients can check if a device is counterfeit.

Ransomware Down, Targeting Up

Researchers found cybercriminals are narrowing their focus on the healthcare space, opting for more focused attacks as opposed to broader campaigns.

Young points out how ransomware attacks on healthcare organizations steadily declined between October and December 2017. High-risk indicators of compromise (IoCs) dropped from 4,330 to 2,354 between November and December, and total IoC have also declined from October through December. The shift is a sign that attackers are changing tactics.

“The broad splashing of random kinds of attacks is down, but how much they’re targeted is definitely up,” he explains. The number of ransomware families has been growing since 2012, with a major spike from 29 families in 2015 to 247 families in 2016, and 327 in 2017.

Massive campaigns waste resources and are more likely to be tracked, says Young. Cybercriminals are using specific attacks to maximize their impact on each organization. For example, if they know an organization has a Windows 10 environment, they’ll use a Windows 10-based attack.

“My own belief is the level of targeted attack is increasing more rapidly than the granularity of defenses,” he notes.

Healing Healthcare Security

Young warns not to get too distracted by healthcare-specific needs. Patching, response capabilities, and monitoring are essential: “Those are the basics and the things almost everybody gets wrong today, but those are the high-impact areas,” he says.

It’s also important to pay attention to non-medical IoT devices entering the hospital, which could also prove a risk. Smart televisions in patients’ rooms, smartboards, or smart devices in labs that aren’t part of normal testing could all be a jumping-off point for attack.

Related Content:

• How to Build a Cybersecurity Incident Response Plan
• Unpatched Vulnerabilities the Source of Most Data Breaches
• How Security Can Bridge the Chasm with Development
• Misconfigured Clouds Compromise 424% More Records in 2017

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/perimeter/supply-chain-attacks-could-pose-biggest-threat-to-healthcare/d/d-id/1331468?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Sears Holding Corp. and Delta Airlines disclosed major data breaches this week that — like a security incident involving several US gas pipeline companies just days ago — highlight the risk that businesses face from the growing ecosystem of third parties connected to their networks.

Sears on Wednesday announced that credit card information belonging to about 100,000 of its customers might have been improperly accessed as the result of a data breach at [24]7.ai, a third-party provider of online chat and support services to dozens of major companies.

The breach affects customers who made transactions online on Sears’ website between September 27, 2017, and October 12, 2017, the retailer said in a statement Wednesday.

Customers who used Sears-branded cards are not affected, and there’s no evidence to suggest that any of Sears’ own systems were accessed in the incident, the company said.

Delta also blamed [24]7.ai for exposing the names, addresses, card numbers, CVV numbers, and card expiration dates of potentially several hundred thousand customers. The breach affects anyone who manually completed a payment card purchase on any page of delta.com’s desktop platform between September 26 and October 12, 2017. Customers did not have to interact with [24]/7.ai’s chat tool to become infected, the company said.

Individuals who used Delta’s mobile app or its mobile website and those who used Delta Wallet to complete transactions are not affected. The malware in [24]7.ai’s platform “could only collect the information shown on the screen, so credit card information automatically populated by Delta Wallet functionality would have remained masked and not useable,” the company said.

Delta and Sears are the second set of companies to report a third-party-related security issue this week. Earlier, a breach at EDI services provider Latitude Technologies disrupted business communication services at four major US pipeline companies, prompting fears of broad vulnerabilities in the energy sector.

The incidents are symptomatic of the heightening risks organizations face from third parties providing various business services, says Stephen Boyer, CTO and co-founder of BitSight. With many companies essentially becoming a combination of outsourced services, risks from insecure third parties have grown significantly in recent years, he says.

He estimates that between 60% and 70% of all breaches currently result from third-party security failures. The trend is the result of organizations not properly vetting the security practices of partners and outside vendors when letting them access enterprise data and services, he says.

When the European Union’s General Data Protection Regulation goes into effect next month, organizations such as Delta and Sears will bear much greater direct responsibility for such breaches, Boyer notes. The mandate requires data controllers — or the data owners — to include specific requirements pertaining to data security in all contractual agreements with third-party processors.

“There is no question that third-party breaches are increasing,” says Fred Kneip, CEO of CyberGRX. He points to a recent survey from the Ponemon Institute, which found that 56% of companies have experienced a breach caused by an outside vendor — a 7% increase over the past year.

“The reason for this is pretty simple. Digital ecosystems are expanding and getting more complex. Turning to third parties to provide services is the way that business is done today,” he says. While strategic outsourcing can free up organizations to focus on their core business, there’s often a real trade-off when it comes to security, Kneip says.

“With expanding ecosystems comes an exponentially larger attack surface,” he says. At large enterprises, the number of vendors, partners and customers with access to the network can easily number in the thousands. All that attackers need is to find a single exploitable vulnerability in those trusted connections to gain access.

“The Sears and Delta breaches illustrate how intertwined our ecosystems are. If our attack surfaces are connected, our mitigation strategy should be too, and that means we need to start collaborating with each other more,” Kneip says.

Every organization is under cost pressure in their business, and outsourcing technology or services is a primary means of reducing cost, adds Tim Erlin, VP of product management and strategy at Tripwire. The adoption of cloud providers in recent years is an example of third-party outsourcing, and one of the ways a third party can be involved in an incident, he says.

“Organizations should look for ways to ensure that third-party suppliers are deploying and validating critical security controls,” Erlin says. “Ideally, this validation would occur through an audit function, but many organizations use contracts and surveys to assess their suppliers.”

Related Content:

• Four Gas Pipeline Firms Hit in Attack on Their EDI Service Provider
• Why Third-Party Security Is Your Security
• How To Succeed At Third-Party Cyber Risk Management: 10 Steps
• Happy Blame Someone Else Day

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/sears-and-delta-airlines-are-latest-victims-of-third-party-security-breach/d/d-id/1331470?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Several cybersecurity experts this week cautioned against underestimating the seriousness of a cyberattack on an EDI service provider that disrupted data communication services at four major US interstate gas pipeline companies in the last few days.

The attack does not appear to have interrupted gas pipeline operations or cause any damage to operational systems at any of the four organizations. So far there is no information on motive or whether the attack was targeted in nature or merely opportunistic. Even so, it would be a mistake to treat the attack with anything other than the most serious attention, say several security analysts.

“Due to interdependencies in the energy sector organizations should be extremely concerned,” says Tom Kellermann, chief cybersecurity officer at Carbon Black. “Attacks like these create systemic risk and foreshadow nefarious campaigns.” 

Oneok Inc, Boardwalk Pipeline Partners, Energy Transfer Partners, and Eastern Shore Natural Gas had to discontinue using their Electronic Data Interchange system for communicating with customers following a cyberattack on Latitude Technologies, their third-party service provider, Bloomberg News reported Tuesday.

The attack did not impact any operational systems, and to date no customer data is believed compromised. Energy Transfer Partners and Eastern Shore Natural reported restoring EDI services Monday evening. A Boardwalk spokesman says customers are conducting business via a company customer activities website until EDI service is fully operational.

Oneok did not respond immediately to a Dark Reading request for a status update. But in a statement on its website, the company said it had temporarily disabled EDI services as a precautionary measure and had advised customers to use alternate communication methods for gas scheduling purposes.

Latitude — a subsidiary of Energy Service Group — alsodid not respond immediately to a Dark Reading request seeking more details on the attack and its efforts to restore impacted services. The company touts its EDI services as being used by dozens of interstate gas pipeline companies, energy marketers, data aggregators, and management firms to protect, translate and track key energy transactions.

The attack comes amid heightened concerns about government-sponsored actors in Russia and China targeting US organizations in critical infrastructure sectors. Just last month, the US government in a rare move, formally accused Russian operatives of targeting energy companies in the US while slapping sanctions on several of them.

Some executives, including Patrick McBride, a vice president at ICS security vendor Claroty, think what happened to Latitude most likely was financially motivated. Attackers may have been hoping to hijack Latitude’s network or systems and extort money from the company as happens with any ransomware attack. Another possibility is that they could have been hoping to find information of value they could monetize in the EDI streams.

The third, and most troubling, possibility is that they were hoping to find a way into the energy companies via a third-party network. “All of these industrial environments have vendors that support different aspects of the control system,” McBride says. Not all of those vendors “are driving their cars out to the pumping station or water treatment plant. They are logging in from a remote location,” which attackers can target, he says.

It’s not so much a matter of attacking EDI communications specifically. It’s more about looking for any open attack vector in which to gain a foothold for jumping into a broader network or set of critical systems adds Mike Kail, CTO at CYBRIC. “Think of it as squeezing through a pet door in order to gain access to an entire house and more valuable assets.”

Kellermann believes the attackers went after Latitude in order to gather information on the energy strategies and operational dependencies of organizations using the company’s EDI services. “This was the first stage of an attack campaign. This attack was focused on recon,” Kellermann says. “They are discerning the vulnerability of gas distribution networks to cyberattack. This is very concerning as a non-rational actor like a rogue regime might decide to light the cyber match.” 

The attack — and its impact on the four companies — is sure to prompt a greater review of the security risks posed by third-party support services in the energy sector as elsewhere. Networks belonging to suppliers, partners, and service providers typically have trusted access to enterprise networks but are very often far less protected. Unsurprisingly, attackers have repeatedly targeted these networks to try and gain access to their ultimate targets.

In fact, according to penetration-testing firm IOActive, almost three-quarters of attacks targeting industrial control systems have their initial point of entry via a third-party system. In penetration tests that the company has conducted within the energy sector, most often its testers have been able to break into a network via a third-party connector, according to Bryan Singer, director of security services at IOActive. 

In one instance, IOActive gained access into an industrial network at a refinery via old websites belonging to companies that the organization no longer even worked with. “And these attack paths bypassed most security controls such as IDS and firewalls,” he says.

Related Content:

• Industrial Safety Systems in the Bullseye
• Russian APT Compromised Cisco Router in Energy Sector Attacks
• 7 Deadly Security Sins of Web Applications
• Rise of Nation State Threats: How Can Businesses Respond?

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/perimeter/four-gas-pipeline-firms-hit-in-attack-on-their-edi-service-provider/d/d-id/1331458?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The popularity of cryptocurrency mining is giving  attackers a new reason to target and exploit your applications and the platforms that support them. They’ve ramped up their attacks against web servers and applications across the Internet, exploiting both new and old remote code execution vulnerabilities. The intent is to compromise servers and then install software designed to perform cryptocurrency mining on behalf of the attackers. This practice of taking over servers, enslaving system resources, and forcing them to mine for the attackers is known as cryptojacking, and it can be very profitable, given enough compute resources.

In late 2017, F5 threat researchers discovered Zealot, a Monero crypto miner that installed itself on vulnerable Apache Struts servers by making use of NSA-attributed EternalBlue and EternalSynergy exploits. Shortly thereafter, F5 threat researchers also discovered a Linux-based variant called PyCryptoMiner that spreads via the SSH protocol. Another variant called RubyMiner recently ran rampant on the Internet. In a 24-hour period, attackers reportedly attempted to compromise 30% of networks worldwide looking for vulnerable web servers and applications to recruit into their mining pools. To date, one of the most profitable cryptojacking botnets is Smominru, which has reportedly made its attackers $2.3 billion.

When people think of cryptocurrency, they immediately think of bitcoin, as this was the first and is still the most popular. However, bitcoin mining has become more challenging for attackers because it is now longer as profitable to mine bitcoin with standard components in servers and desktop computers. Today, it requires the use of graphic cards or, ideally, application-specific integrated circuit (ASIC) chips. This is why many attackers are now mining newer, alternative cryptocurrencies. An example is Monero, which can be successfully mined with any CPU; it doesn’t require ASICs.

Since attackers are not paying for their own resources and electricity, cryptojacking is 100% percent profitable for them. The more resources they can force to mine in their pools, the more money they generate. Even weak processors can be woven into mining pools to share their processing power. IoT devices are a ripe target because they are always on and are typically unmanaged systems, so the likelihood of these devices being discovered and then remediated is low.

Another risk is that attackers might modify a web application by injecting JavaScript miners, like Coinhive or another web-miner, into visitors’ browsers. The attackers are then able to leverage the compute resources of all website visitors for their own benefit. Within the last few weeks, there has been an aggressive text message-based campaign attempting to rope smartphones into crypto mining operations by luring users to click on a link that promises them free Bitcoins.

As data theft becomes less profitable for attackers (credit card data has recently sold on the black market for as little as $0.0003 per record), cryptocurrencies become a more attractive target for cyber-criminals. And that makes every application a potential target. The Internet is a great equalizer in that no application, no matter where it might be located, is immune. Attackers don’t discriminate by industry, either. Whether you’re a manufacturer in the American midwest or a large financial services organization on the east or west coast, you’re not safe from these attacks.

The best way to protect your environment from cryptojacking is by placing a web application firewall in front of all your applications. Then, look for the classic symptom of poor performance and dig in deeper from there.

Since cryptocurrencies are such a hot topic right now, threat intelligence teams around the world are actively looking for cryptocurrency mining bots and publishing everything they find, typically including Indicators of Compromise (IOCs). Security teams should be looking for those publications and making sure their networks are not communicating with any of the cryptocurrency mining command and control servers published in the IOCs.

Get the latest application threat intelligence from F5 Labs.

Travis Kreikemeier is currently a Field Systems Engineer for F5 Networks, covering many verticals of customers. He came to F5 from Hayneedle, an online retailer now owned by Walmart where he was the Director of IT Infrastructure. View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/cryptomining-fast-becoming-the-webs-most-profitable-attack-method-/a/d-id/1331421?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There’s always been a troublesome rift between enterprise security teams and software developers. While the friction is understandable, it’s also a shame, because the chasm between these teams makes it all the more challenging to build quality applications that are both great to use and safe.

Why is the strife between security teams and software developers so acute? Essentially, it’s because both teams have, to a large degree, opposing goals. For security, it’s about ensuring that apps are not easily exploitable and reasonably secure versus, on the development side, creating new applications and features for existing ones. There’s no way to avoid the conflict between these two objectives, which reflect two very different and deep areas of expertise.

Another contributing factor is that today’s enterprise technology has shifted from a focus on IT and infrastructure to being driven by software. And, frankly, security hasn’t kept up with its out-of-date operations and infrastructure worldview, which has exacerbated the challenge.

The reality is that both software development and security are hard. The mindsets – breaker verses builder — are completely different. And we as security professionals need to take different approaches than we have in the past. Let’s take a deeper look at these challenges, and then how security teams can help close the gap.

Be transparent. Connect with members of the development team and take time to understand their own processes and objectives. Walk in with an open mind and simply ask for their help. Engineers love solving problems. Be open to letting them help with the solutions to software security issues. This allows you to work with — and not against — development teams and enlist them as part of a solution, not condemn them as part of the problem.

Keep it simple. Developers are our customers, and our job is to help provide a service that makes their jobs easier. Apply this idea to everything. From helping to automate interactions between teams to what policies are really required to how results are delivered.

No more OWASP Top 10. Forget tackling the entire OWASP Top 10 — at least not all at once. Consider focusing on your own OWASP Top 2. Concentrate upon diligently eliminating certain classes of vulnerabilities in your organization over time. This eliminates creating a horribly long, seemingly insurmountable, list of items that are typically delivered to software engineering. A shorter, focused list enables the development team to easily slip into small sprints and fix errors. It’s about quality, not quantity.

Deliver results development teams need. If your organization uses automated scanning tools to identify software flaws, then it is the security team’s job to ensure that results delivered to the team are free of false positives and are high quality. This applies to anything from static to dynamic scanning or bug bounty programs. Filter and eliminate as much noise as possible.

Hire engineers. Talent is always a tough thing to find, but when it comes to hiring experienced security employees, it is even harder. It’s almost impossible. So, instead look for talent in quality engineers, DevOps, and software development. It is 1,000% easier to teach security to this technical talent pool than to take a tools and operations security professional and teach them engineering. Security is a hot market, and I see a lot of interest from professionals in these groups to try to figure out how to move into cybersecurity.

Align goals. Keep in mind that most engineers want to write secure code and that they find security problems fascinating to solve. The challenge here isn’t personal; it’s often organizational and a lack of proper goal alignment. Too often there isn’t enough time and energy allowed to be invested in solving security problems. This is driven by the organization and company goals and not the fault of developers. So, the single most effective thing a CISO can do to close this chasm is to create and pitch a higher initiative for the entire company to rally behind. Such a pitch can be as simple as a vision that Quality Software = Performance, Functionality, and Security.

Building secure software is much needed in the world today and will continue to be so tomorrow. We have traditionally focused our priorities on technologies that patch, watch, or block because this is easier. This reasoning needs to evolve and get in line with current (and future) security needs — and that means building secure software and automation. Security needs to be more engineering focused, come to a better understanding of secure development, and make it a priority.

Related Content:

• Is Security Accelerating Your Business?
• Is Application Security Dead?
• 5 Ways to Get Ready for Public Cloud Deployment

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Caleb Sima has been engaged in the Internet security arena since 1994 and has become widely recognized as a leading expert in web security, penetration testing and the identification of emerging security threats. His pioneering efforts and expertise have helped define the web … View Full Bio

Article source: https://www.darkreading.com/operations/how-security-can-bridge-the-chasm-with-development-/a/d-id/1331427?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA today announced that it will purchase embedded behavioral analytics firm Fortscale in a move to enhance its RSA NetWitness Platform security monitoring family.

The security firm also unveiled a new version of NetWitness that encompasses Fortscale’s user and entity behavioral analytics (UEBA) features, as well as orchestration and endpoint support.

“Adding more security monitoring and prevention tools is a common response to the growing digital risk environment, but too often, the influx of data creates unattended alerts, overwhelming analysts,” said Michael Adler, vice president of the RSA NetWitness Platform. “The new UEBA and orchestration capabilities in RSA NetWitness Platform provide heightened visibility and analytics, allowing analysts to keep up with their SIEM data, investigate issues, and automate threat responses, all on a single integrated platform.”

Financial details of the deal were not disclosed. Read more about the acquisition here. 

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/rsa-to-acquire-fortscale/d/d-id/1331462?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data belonging to most of Facebook’s 2 billion users could have been accessed without their consent, the social media company announced this week. As a result, it’s taking steps to restrict the amount of information accessible to outside parties by removing certain features.

The changes announced this week affect Facebook’s Events API, Groups API, Pages API, Facebook Login, Instagram Platform API, Call and Text History, Data Providers and Partner Categories, and App Controls. Starting April 4, 2018, for example, Facebook will need to approve all apps requesting access to data like photos, posts, check-ins, events, and groups.

One of the most critical changes affects Search and Account Recovery. Until April 4, users could search for people using their phone number or email address. This feature has been deleted following the realization malicious actors have abused it to scrape public profile data by submitting phone numbers and email addresses they already have through account recovery.

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” the company says. Facebook also reports the data of about 87 million people was taken by Cambridge Analytica without users’ consent. Most of those affected are in the United States.

The extent of changes demonstrates a shift in Facebook’s relationship with third-party apps, which could previously access users’ events, relationship statuses, and other information.

Read more details here.

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/facebook-most-profiles-likely-scraped-by-third-parties/d/d-id/1331463?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple