DevSecOps automation is at its most effective when humans lend a hand, according to cloud and enterprise security architect and research scientist Professor Gamini Bulumulle.
Speaking at the bustling (ISC)² Security Congress in Orlando, Florida, on Tuesday, Bulumulle said that while automation can tackle tedious tasks and deliver fast results, the errors it can still produce make it not completely reliable.
Automated security scans designed to detect vulnerabilities and misconfigurations can miss weaknesses. They can also deliver incorrect results and leave no clues as to how or why they have done so.
"Automation is great because it's fast, but do we have the right tools? Some of the tools I have seen give false negatives and false positives," said Bulumulle.
"With automated scanning there is no tool to go back and find out why you are getting false positives. When that happens, we have to have manual intervention to go back and figure it all out."
Bulumulle added that automated security controls aren't always fully automated, but rather can be semi-automated or require manual intervention.
Giving an example of an automated process that still requires manual intervention, Bulumulle said: "Say you want to install IPS behind your firewall to capture your data; once you install it you might have to reboot your file."
For Bulumulle, any security solutions that offer a quick fix at a low price are as real as horse feathers.
"Security is expensive, and it's time-consuming," said the professor.
According to Bulumulle, keeping an eye on the security incidents and events that are happening is hugely important to ensure security, but it's only worth doing if the data being gathered is put to good use.
"Constant monitoring is really important. The event log in data is the most underused resource in your organization. Someone has to go back and investigate."
Bulumulle said that DevSecOps LifeCycle automation is necessary for rapid software development but there is no silver bullet. He advocated some automation with the addition of two layers of manual verification.
"Peer review is really important. I'm a lazy proofreader so I always get someone to read my work."
Staring at screens all day is reducing the quality of our lives, according to award-winning journalist Catherine Price.
Delivering a keynote on day two of the (ISC)² Security Congress in Orlando, Florida, Price told a receptive crowd that by constantly checking their smartphones, people are damaging their productivity, creativity, relationships, memory, attention spans, posture, and sleep, and reducing their ability to focus and be present.
"Our phones are impacting our enjoyment of our lives," said the author of How to Break Up with Your Phone.
"There are mental effects of being on social media and seeking social affirmation all the time. You see this particularly with teenagers, but adults are certainly not immune to it.
"I hear from psychologists and pediatricians all the time about really disturbing spikes in anxiety, depression, even suicidal ideation, especially in teenage girls."
After examining the negative impact of going through life with your smartphone glued to your hand, Price gave a slew of practical tips on how to cut daily screen time.
Instead of simply setting screen-time limits, Price advised the audience to set positive goals.
"The point is not actually to spend less time on your phone; it's to spend more time on your life, on the things you care about," said Price.
"Ask yourself what you want to spend more time on, and then ask yourself how your phone habits are getting in the way of that."
Price said that while some people are losing hours each week to addictive "slot machine" apps like email, social media, and games, others are getting waylaid by bad habits, like constantly checking their news app.
Identifying when and why you reach for your phone can help you find other ways to meet your needs. Triggers can be situational—everyone around you is using their phone—or emotional.
"There's probably an emotional goal behind what you're doing," said Price. "Figure out what reward your brain is after and figure out another way to get the same result. So, if you're feeling lonely, actually call a friend."
She advised people to view their phones as distracting obstacles rather than objects of pleasure, and to remove any tempting apps.
"I don't have any pictures of my kid or my husband on my home screen, because I realized when I was doing that, I was associating my phone with people that I loved, which was making me want to be on my phone more."
Finally, Price advised turning off notifications on your phone and in your apps so that you can't be interrupted.
Attacks on integrity using AI and deepfakes, deployment of anti-surveillance technology and govermment interest in cybersecurity issues will be the main changes to the security industry next year, according to Forrester.
The analyst firm’s 2020 predictions claimed that “integrity attacks” such as deepfakes will go on to “cost businesses over a quarter of a billion dollars” as attackers use AI technologies like natural language generation and video AI to generate fake audio and video designed to fool users.
Also on the theme of AI, 20% of enterprise customers will prohibit the use of their data for AI, as more and more organizations will become selective about what data they give to their vendors, as they choose “to opt out of data sharing due to concerns about anonymization, privacy and accidental disclosure.”
Also on the theme of privacy, Forrester claimed that mass data collection “will drive a 15% growth in anti-surveillance technology” after corporate economic surveillance expanded in 2019, with consumers turning to anti-surveillance technology that conceals, distorts, or blocks public and private surveillance tools. These include: clothing that foils license plate readers, anonymized search engines, lockers for private deliveries, anonymous credit cards, VPNs, anonymization services and ad blockers.
In the same theme, the analysts predicted that companies will use the data they collect as a key reason to make acquisitions, allowing them to circumvent controls and regulatory oversight and weaponize data by using it to manipulate, subvert, or target populations. For example, if a company that owns personal data is acquired by a government-owned firm, the data will go on to be owned by a potential adversary.
In an email to Infosecurity, VP principal analyst at Forrester, Jeff Pollard, disagreed that there is a more “paranoid” perception to 2020, and while he continually “hears that the pace of innovation and change is accelerating” he believed it is an increased “awareness of the amplified consequences stemming from digitally dependent lives.”
Asked if we are on the verge of consumers and businesses taking privacy into their own hands, Pollard agreed, and said that “businesses need to think about privacy in terms of competitive intelligence. The more data companies collect about your employees – especially data gathered during the course of their work activities – the more those firms know about your company as well.”
He went on to say that one of the things that GDPR helped do is drive awareness of privacy for consumers. “After awareness, comes empowerment,” he said. “Individuals need to understand that limiting what data companies collect – even seemingly innocuous data – is the best approach for them.
“Because you can’t control what those companies do with that data, what insights can be derived from it, and as we note in our first prediction, that the company they agreed to share data with isn’t acquired by someone else with different ethical stances and use cases for that information.”
Finally, the analysts predicted that 2020 will be the year when a local government will seek disaster relief for ransomware damages. After a surge in ransomware attacks against local governments and municipalities in 2019, Forrester predicted that in in 2020, a ransomware attack targeting a municipal system and causing significant disruption for citizens, will lead to one municipality to request disaster relief from the national government.
“This act will generate considerable public debate about the role national governments should play in assisting to cover the costs, disruption, and recovery from cyber-attacks targeting local governments.”
Thousands of websites and a national TV station have been taken out by a major cyber-attack in the eastern European nation of Georgia.
The former Soviet nation has been left reeling after the apparently coordinated attack led to the defacement of over 15,000 pages — many of which were replaced with a photo of former President Mikheil Saakashvili, and the words "I'll be back." Some 2000 were apparently forced offline completely.
Among those affected are the presidential website, non-government organizations, the courts, and numerous private companies, according to the BBC.
The outages and disruptions appear to be the result of attackers targeting web hoster Proservice, which reportedly claimed on Monday evening it had been able to recover around half of those sites.
Broadcasters Imedi and Maestro have also had services disrupted, with computers at the latter reportedly destroyed in the attacks.
It’s unclear what the motives for the attack are, although speculation has focused around Russia, which forced nearly all Georgian government sites and banks offline en masse during the 2008 war between the two nations.
Pro-Western former President Saakashvili ruled from 2004 to 2013, but now lives in self-imposed exile after being accused by Tbilisi of abuse of power, which his supporters claim is a politically motivated stunt.
"The scale of this cyber-attack is unprecedented, and Georgia will almost certainly have to face vast repercussions once the problem is resolved. However, the ‘I’ll be back’ signature is ominous, and I have no reason not to believe that they won’t be, unless the nation of Georgia makes some serious changes to their cybersecurity protocols,” argued Tim Dunton, Managing Director of Nimbus Hosting.
"This attack should act as a reminder to every nation, regardless of their size or wealth, that it is essential to invest in safe, secure IT servers and operate modern technology systems which are protected against the threat of any cyber-attacker."
Microsoft has warned that Russian state-backed hackers are targeting sporting and anti-doping organizations yet again in the run up to the next Olympic Games in Tokyo.
The group known as Strontium (aka APT 28, Fancy Bear), has been trying to infiltrate at least 16 national and international organizations, with some success, according to Tom Burt, Redmond’s corporate VP of security and trust.
“The methods used in the most recent attacks are similar to those routinely used by Strontium to target governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world,” he explained.
“Strontium’s methods include spear-phishing, password spray, exploiting internet-connected devices and the use of both open-source and custom malware.”
It’s unclear what they hackers hoped to harvest, but Burt noted that the attacks, which spanned three continents, began on September 16, just before reports emerged that Russia could be facing expulsion from the Olympics and other major sporting events over continued doping irregularities.
The World Anti-Doping Agency (WADA) claimed last month that critical data had been deleted from a database by the Russian authorities, before it was handed over to the agency as a pre-condition of the country being reintegrated into the global sporting fold.
Russian athletes have been banned for the past three years from competing on the world stage after a state-sponsored doping operation was uncovered.
It could be that the hackers are looking for evidence of doping by other countries, to help its cause. The group is said to have published medical records and emails taken from sporting and anti-doping organizations in 2016 and 2018, resulting in a 2018 indictment in federal court in the United States
“We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet,” Burt argued. “We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.”
Microsoft urged organizations to put in place two-factor authentication on all business and personal accounts, train staff in how to spot phishing schemes, and enable security alerts about links and files from suspicious sites.
Apparel site Sixth June has become the latest brand to suffer a digital skimming attack on its website, according to a security researcher.
RapidSpike systems developer and researcher “Jenkins” took to Twitter yesterday to claim the firm had a live Magecart payment skimmer actively stealing customer card details.
The Paris-based fashion retailer is said to have hundreds of thousands of social media followers, with its designs sold through ASOS, USC and other outlets.
The incident calls to mind an alert raised by another security researcher late last week. Willem de Groot from Sanguine Security claimed that Procter & Gamble’s First Aid Beauty brand had been infected with a payment skimmer since May 5.
This attack is more sophisticated than usual, with the malicious code not activating for non-US visitors, or if the user is running Linux, as many researchers do, he explained.
“I reported the breach to their executives and support team last week, but have yet to receive a reply,” de Groot tweeted last Friday. “FirstAidBeauty was bought last year for $250M. P&G decided to not integrate their new acquisition, which they may regret now.”
Yossi Naar, co-founder of Cybereason, said the Magecart incidents are a “stark reminder” that breaches will always happen.
“In an attempt to at least level the playing field, companies need to immediately pay more attention to post-breach detection and mitigation and assume they will be breached and start protecting their data accordingly,” he added. “A few simple steps include encrypting all data that is deemed sensitive, limiting employee access to networks and reducing large collections of data in widely accessible systems.”
Online brands would be well-advised to get a handle on Magecart: BA was famously fined £183 million for security failings which led to the skimming of card data on around 500,000 customers.
The ninth annual (ISC)² Security Congress got off to a flying start with a lesson in handling pressure from retired pilot captain Chesley "Sully" Sullenberger.
Sullenberger famously landed US Airways Flight 1549 in the Hudson River on January 15, 2009, after both engines were disabled by a bird strike. While the Canada geese that struck the plane didn't live to see another day, incredibly, everyone on the plane survived.
The feat performed by Sullenberger and the flight's first officer, Jeffrey Skiles, on that cold winter day was even more remarkable since the only water-landing training they had undergone was a theoretical discussion of how it might be done.
Sullenberger began his keynote by paying tribute to Jeff, the crew, and the first responders, emphasizing that "a successful outcome requires the efforts of many people."
He then described the terrifying events of that fateful day, which unfolded over just 208 seconds. Sullenberger said a lifetime of preparation was what enabled him to deal with the genuine life-or-death situation he encountered.
The former pilot, now aged 68, paid tribute to his grandparents, who imbued him with a "lifelong love of reading and learning."
He entreated the gathered crowd to "never stop investigating" and to "change before you're forced to"—to embrace innovation and change so they are better able to handle adversity.
Sullenberger added: "As the pace of change accelerates, most of us can't get through our entire working lifetime with just one skillset. Instead, we must keep on learning, growing, stretching ourselves."
The husband and father of two credited his grandparents and parents with teaching him that with any authority comes responsibility, a lesson that was ground in even deeper during his US air force training.
Sullenberger underlined the importance of civic responsibility for normal life to function, saying: "If we didn't give each other these little gifts of civic behavior, civilization wouldn't be possible. Everyday activities we take for granted, like driving down the highway, would be suicidal if we didn't."
Other key takeaways from Sullenberger's keynote were that decisions "must be based on facts, not fears, and certainly not falsehoods," and that leaders should lead through personal example.
Sullenberger finished by saying that his colleagues had observed the way he lived his life, helping people and sticking to his core values.
"It turned out my reputation had been built one interaction, one person, one day at a time."
He asked people to take the opportunity each encounter with another person provides to do good.
Cybersecurity professionals from all over the world have descended on Florida for the ninth annual (ISC)² Security Congress.
(ISC)² is the world's largest non-profit membership association of certified cybersecurity professionals, with 140,000 certified members.
The action will unfurl at Walt Disney World's Swan and Dolphin Resort in Orlando from October 28 to 30, and Disney Institute's Holly Hoffman will be giving one of the conference's five keynote addresses.
Over three days, 250 speakers will deliver 175 sessions tackling 18 carefully chosen topics, which include Internet of Things (IoT), cybercrime, privacy, and security automation.
Last year's event, held in New Orleans, attracted over 2,000 visitors. This year's conference will be the largest in the association's 30-year history and is expected to attract over 2,500 attendees from 70 different countries.
The theme of this year's conference—"Enrich. Enable. Excel."—focuses on bringing together leading cybersecurity professionals to advance best industry practices.
The majority of speakers chosen to share their wisdom are credentialed professionals who are active in the cybersecurity industry. Men dominate, making up 76% of the program.
Featured sessions include a panel discussion on "Diversity, Equity, and Inclusion: How to Create a Winning Security Company Culture" and an in-depth look at an emerging identity management model in a talk entitled "The Future of Digital Identity in the Era of Digital Transformation."
This conference is the ninth such affair put on by (ISC)². It will be closed on Wednesday evening with a keynote by retired former US Special Forces commander Admiral William H. McRaven, who will share his experiences as a leader and give out tips on how to be resilient.
(ISC)² COO Wesley Simpson said: "Security Congress is a chance for our members, as well as the larger cybersecurity community, to come together and share best practices while learning from experts about the emerging issues that are impacting security organizations globally.
"The content and speakers we've aligned this year rival the premier cybersecurity conferences in the industry, and we're excited to welcome attendees from both near and far to come together as a community and learn in a world-class setting."
Speaking on the opening day of the ninth annual (ISC)² conference in Orlando, Florida, cyber-risk strategist Chris Veltsos said that CISOs need to change their mindset when it comes to communication.
Veltsos, aka Dr.InfoSec, said CISOs are bamboozling boards with "techno babble" and failing to explain in real terms what could happen to a business in the event of a cybersecurity attack.
In an hour-long presentation entitled "5 Ways to Improve Your Cyber Risk Communications," Veltsos told a packed room: "The mindset of cybersecurity professionals is that business leaders need to learn more about our work. Nah-uh. We work for them. Remember that.
"Think of yourself as a translator. Find analogies that have nothing to do with IT or cybersecurity and explain how a cybersecurity threat could create problems for the whole organization."
Veltsos implored security professionals to be mindful of their language when communicating with colleagues who do not have a technical background.
"We have to make it so that people look forward to having conversations with us rather than thinking 'oh no, it's the IT guys.'
"As security professionals, we tend to use a lot of warlike language, and that doesn't always resonate well with others, so it's something you should avoid. We need to map our language to something that's important to them."
CISOs also need to be careful when selecting what information to present.
Veltsos said: "Pick the right level of granularity. Leave out the unnecessary details and use only good information. Get the tone and the language right and think about timing, especially if you are giving bad news or asking for money."
Asked what CISOs can do outside of work to improve their communication skills, Chris Veltsos told Infosecurity Magazine: "Join Toastmasters or if that's not available, there's actually a tech version called Techmasters in some cities. I would also say challenge yourself to do more public speaking and to do more writing and you will grow tremendously just from pushing yourself outside of your comfort zone.
"Because cybersecurity or IT is in our fabric, we just kind of exude that all the time instead of being humans and relating on a human level, using general statements that are not IT security focused and asking questions like, 'Hey, what did you do for fun this summer?'
"If you're too much of a techie, you might need some coaching on how to approach people outside of work."
The BBC has launched a Tor-based version of its news website, to help circumvent state efforts to censor the free flow of information around the world.
Countries such as Russia, China, Iran and Vietnam have tightened efforts over recent years to monitor and control what their citizens can access online.
However, Tor, short for The Onion Router, offers an anonymous way for individuals and business users to bypass such controls. Developed by the US Navy in the 1990s, it routes data in highly complex patterns across the internet via “nodes” hosted by volunteers.
Encryption is applied at each layer to maintain user anonymity, with any website receiving a request tricked into believing the exit node is the user’s location.
As well as enabling users to visit regular websites anonymously, Tor allows sites to be hosted at addresses on the non-index, or dark web, via a .onion address. Perhaps the biggest benefit of this is that .onion addresses won’t work unless accessed via a Tor browser, so it means users can’t accidentally not use Tor when browsing for them.
“The BBC World Service's news content is now available on the Tor network to audiences who live in countries where BBC News is being blocked or restricted,” the BBC said in a statement. “This is in line with the BBC World Service mission to provide trusted news around the world.”
Foreign language services including BBC Arabic, BBC Persian and BBC Russian will be available via the new service, hinting at some of the regions that are affected most by state-level censorship.
The announcement highlights the benefits of the dark web to many users around the world, including rights activists, journalists and ordinary citizens who may otherwise be persecuted by authoritative regimes.
It’s a counterpoint to most news about such sites, which focus on the dark web marketplaces for drugs, weapons and other illegal goods.
Italian bank UniCredit has identified a breach of its IT systems affecting millions of customer records, according to breaking reports.
The lender confirmed on Monday that a file created in 2015 containing three million records relating to Italian clients had been involved in the incident.
However, no details which could give hackers access to these customers’ bank accounts or payment information had been accessed, according to Reuters.
That’s in contrast to a major 2016 breach disclosed two years’ ago in which 400,000 were accessed by attackers in September and October. They were only discovered around nine months later.
Since that time, Italy’s largest bank by assets claimed that it has “invested an additional €2.4bn in upgrading and strengthening its IT systems and cybersecurity,” according to the report.
Time will tell on the significance of the data exposed in the newly reported breach, and whether GDPR investigators will seek to punish the firm.
UniCredit is by no means the only bank to be singled out for attention. The financial services sector is a popular target for cyber-criminals: data compiled by Bitglass last year claimed US lenders suffered three-times more data breaches in the first six months of 2018 than during the same period in 2016.
These included an insider theft of 1.5m customer details at SunTrust Bank.
Despite financial services firms spending a great deal on cybersecurity, the average cost of cybercrime for the sector increased by over 40%, from $13m per firm in 2014 to $18m in 2017. By contrast, the average cost per firm for other sectors is just under $12m, according to Accenture.
In the UK, regulator the Financial Conduct Authority (FCA) saw the number of data breaches reported to it grow by 480% from 2017 to 2018.
Adobe has become the latest big name to expose customer details via a misconfigured database, after researchers discovered nearly 7.5 million accounts via an online search.
Security researcher Bob Diachenko teamed up again with Comparitech to find the Elasticsearch database, which was left online without any password protection.
That meant they could access millions of Adobe Creative Cloud customer records, which it is estimated had been exposed for around a week when the snafu was discovered on October 19.
Although the exposed information wasn’t particularly sensitive, it still contained enough details to be used in potential follow-on attacks, including: email address, account creation date, subscription status, which Adobe products used, member IDs, country and payment status.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” wrote Comparitech privacy advocate, Paul Bischoff.
“The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords.”
Adobe Creative Cloud is a set of subscription services which offer graphic design, video editing, web development, photography and other capabilities. Some estimates claim it has around 15 million users, meaning nearly half of those may have been exposed in the privacy snafu.
However, it’s nowhere near the scale of the breach suffered by the firm several years ago, when 38 million customers had to have their passwords reset following a major data theft.
To the firm’s credit, it appears to have secured the Elasticsearch instance on the same day it was informed something was wrong by Diachenko.
Adobe has something of a dubious reputation in the cybersecurity world, thanks to the persistent threat posed by vulnerabilities in its Flash product, which is now blocked by default on most browsers.
The city of Johannesburg has shut down its entire computer network after being targeted by a Bitcoin ransomware attack.
According to The Times, South Africa's commercial capital was hacked by a threat group called the Shadow Kill Hackers Group. The city closed down its website and all digital services on Thursday night after several employees received a ransom note from the threat group.
Shadow Kill Hackers Group are threatening to expose sensitive information by uploading it to the internet unless a ransom of 4 Bitcoins—roughly USD 34,000—is paid before 5:00 pm on October 28.
The ransom note reads: "All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information."
Before imploring the city to "have a nice weekend," the threat group writes: "If you pay on time, we will destroy all the data we have, and we will send your IT a full report about how we hacked your systems and your security."
The city took to Twitter to report the breach, stating just after 11 pm that it had detected a network breach that resulted in unauthorized access to information systems.
The city wrote: "The incident is currently being investigated by City of Joburg cyber security experts, who have taken immediate and appropriate action to reinforce security measures to mitigate any potential impacts. As a result, several customer facing systems— including the city’s website, e-services, billing system—have been shut down as a precaution."
E-services affected by the shutdown include online billing services and online customer care services. Emergency calls have been diverted to the Provincial Call Centre.
An investigation into the attack has been launched and is expected to take 24 hours.
The city apologized for any inconvenience caused and stated that it would provide residents with an update on the ongoing ransomware attack every four hours.
Five South African banks, including Standard Bank and Absa, reported internet issues at the time of the Shadow Kill Hackers Group Bitcoin ransomware attack. It is not known yet whether the issues are related to the attack.
An app used by drivers to cut the cost of fuel has suffered a data breach that allowed users to view the personal information of other customers.
Names, email addresses, cell phone numbers, and dates of birth were exposed following the breach of the 7-Eleven fuel app, which occurred on Thursday. The app, which has been downloaded two million times, was taken offline for several hours while 7-Eleven worked on coming up with a fix.
The company was alerted to the breach by a male customer who was able to access the personal information of several other users after logging into the app.
The customer, who wished not to be named, reported being able to see information relating to other customers, including the amount of money they had in their accounts.
According to The Guardian newspaper, the customer logged in and out several times, and was able to view the personal information of other users with each fresh login.
The 7-Eleven fuel app uses a customer’s current location and real-time fuel-price data to help drivers find the best local gas price at their five closest 7-Eleven stores. Users can search for the best price, then lock it in by paying for their gas in advance.
After being taken down on Thursday afternoon for what 7-Eleven described as "maintenance," the app was brought back online at 5:30 pm.
A 7-Eleven spokesperson said: "The 7-Eleven Fuel App experienced a technical issue. The issue has been resolved, and the 7-Eleven Fuel App is now online for all customers. We are continuing to investigate and have informed the relevant authorities."
Based in Irving, Texas, 7‑Eleven operates, franchises, and/or licenses more than 69,000 stores in 17 countries, including 11,800 in North America.
The Japanese arm of 7-Eleven had to shut down its mobile payment app in July of this year following a data breach that impacted around 900 customers and resulted in fraudulent transactions totaling more than $500,000.
An investigation was prompted following a customer inquiry on July 2 regarding unauthorized charges. The company discovered that hackers had accessed the customer's 7pay app and impersonated the authorized user to make fraudulent purchases using the bank card details stored in the app.
Commenting on the fuel app breach, Mark Noctor, VP EMEA at Arxan Technologies, said: "This breach highlights the need for companies to treat their application as the new 'real' endpoint that needs to be considered during the formation of a security strategy."
The United States' Department of Health and Human Services has proposed amending laws around non-monetary donations in a bid to help doctors protect healthcare services from cyber-attacks.
The DHHS published proposed rules to update the regulatory Anti-Kickback Statute (AKS) safe harbors as well as exceptions to the Physician Self-Referral (PSR) Law, commonly known as the Stark Law, on October 17.
Among the proposed changes is a new safe harbor/exception that would make it legal for entities to make non-monetary donations of cybersecurity technology and related services to physicians.
Certain criteria must be met when making a donation, but, in general, the services that the safe harbor/exception would protect include risk assessments, installation of cybersecurity software, and cybersecurity or business continuity as a service.
As for technology, the changes would allow for the donation of software that can assist with malware prevention, business continuity, and encryption, but would not permit the donation of hardware.
Powering the proposed changes is the idea that making cybersecurity more accessible to all healthcare providers, regardless of their financial situation, will better protect patients and the healthcare industry as a whole in the face of a rising number of cyber-attacks.
The HHS Office of Inspector General (OIG), which published the AKS proposed rule, wrote: "We believe this proposed safe harbor could help improve the cybersecurity posture of the healthcare industry by removing a real or perceived barrier that would allow parties to address the growing threat of cyberattacks that infiltrate data systems and corrupt or prevent access to health records and other information essential to the delivery of healthcare."
OIG noted that the increase in interoperability and data sharing in the healthcare industry means that threat actors can launch large-scale attacks on multiple services by exploiting a single healthcare provider with poor cybersecurity.
OIG wrote: "The healthcare industry and the technology used to deliver healthcare have been described as an interconnected 'ecosystem' where the 'weakest link' in the system can compromise the entire system.
"Given the prevalence of protected electronic health information and other personally identifiable information stored within these systems, as well as the processing and transmission of this information and other critical information within a given provider’s systems as well as across the healthcare industry, the risks associated with cyberattacks may be most immediate for the 'weak links' but have implications for the entire healthcare system."
Former AWS software engineer Paige Thompson has been accused by prosecutors of the attack on the US bank and 30 other organizations. It’s said to have affected around 100 million US and Canadian customers and applicants of the financial institution, including consumers and small businesses.
Reports have hitherto focused on a misconfigured web application firewall (WAF) hosted by the bank in the AWS cloud as the main factor in the attack.
Specifically, Thompson is thought to have exploited this to conduct a Server Side Request Forgery (SSRF) attack, tricking the WAF into running non-permitted commands which allowed her to talk to the AWS “metadata” service, in order to grab key credentials.
However, following the incident, security experts argued that AWS should be doing more to implement mitigations to help prevent SSRF attacks on its platform.
“The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it,” said Cloudflare’s Evan Johnson.
Now senators Ron Wyden and Elizabeth Warren have penned an open letter to the FTC, asking it to investigate if “Amazon’s failure to secure the servers it rented to Capital One may have violated federal law.”
It noted that while Google and Microsoft have both taken steps to protect customers from SSRF attacks, “Amazon continues to sell defective cloud computing services to businesses, government agencies and to the general public.”
AWS is likely to rebuff the claim, however, as it has argued in the past that, had Capital One not misconfigured its WAF, the SSRF attack would not have been possible.
In fact, SSRF is just one of several techniques that could have been used to gain access to the bank’s data, it has claimed.
Security researchers are warning of an ongoing mobile-aware phishing campaign targeting the United Nations and various NGOs for Okta, Office 365 and Outlook account credentials.
The two domains hosting the phishing content have been live since March 2019, with most of the the SSL certificates used valid in two main date ranges: May 5-August 3, 2019, and June 5-September 3, 2019, according to Lookout.
“The mobile-aware component found in this campaign is further proof that phishing attacks have evolved to target mobile devices,” the vendor explained.
“Mobile phishing has emerged as a source of increasing risk for enterprises, as the post-perimeter world and widespread adoption of bring your own device (BYOD) policies blurs the lines between personal devices and corporate networks, not to mention the expanded multi-channel threat surface presented by such devices and mobility as a whole.”
Those behind the campaign have also installed keylogging functionality to record keystrokes in the password field of the pages. This means that even if a victim, for some reason, decides not to hit the login button, the hackers will still have harvested their credentials.
At the time of writing, Lookout claimed that six of the SSL certificates used in the campaign are still valid, and targeting organizations including the UN World Food Programme, UNICEF, Heritage Foundation and the International Federation of the Red Cross and Red Crescent Societies.
Other organizations targeted in the campaign include the United State Institute of Peace, Concern Worldwide and UC San Diego.
A New Jersey man physically installed keyloggers on two rival companies’ networks in order to steal trade secrets, according to newly released court documents.
Ankur Agarwal, 45, of Montville, New Jersey, pleaded guilty to two counts of obtaining information from computers and one count of aggravated identity theft, and is now facing a potential maximum sentence of 12 years behind bars.
According to court documents, he physically entered the company premises in question and installed keyloggers onto computers, in order to obtain usernames and passwords. Targeting specific employees, he was the able to exfiltrate sensitive data on emerging technologies being developed by the firms.
Agarwal also installed his PC and a hard drive onto the companies’ networks as part of his scheme.
He used the same modus operandi to hack both organizations, although in the case of the second company, he also hacked an employee account to create a physical access badge which then allowed him back on the premises to more easily recover the unauthorized devices he’d placed on the network.
Also stolen were thousands of documents containing personal information on employees, including one file with data on 50 senior executives.
As well as the jail time, Agarwal is facing a fine of $250,000, or twice the gross gain or loss from the offense.
The case highlights the need for joined-up security in organizations, of both the IT network and physical infrastructure. Often the two functions operate discretely, which can open up opportunities for bold cyber-criminals.
Similar arguments were made back in April when an alumnus at The College of St. Rose in Albany, New York, pleaded guilty to vandalizing equipment using a malicious USB device. He physically inserted the thumb drive into 59 Windows workstations, seven iMacs and “numerous monitors and digital podiums.”
A Montana healthcare provider that fell victim to a phishing scam has notified 129,000 patients that their personal information was exposed.
According to Flathead Beacon, Kalispell Regional Healthcare (KRH) informed all its patients by letter on Tuesday of the breach, brought about by a sophisticated cybersecurity attack that occurred in June.
As result of the breach, the name, address, medical record number, date of birth, telephone number, email address, medical history and treatment information, date of service, treating and referring physicians, medical bill account number, and/or health insurance information of every patient was exposed.
The incident may have also made public the Social Security numbers of an estimated 250 patients.
In a statement released on Tuesday, KRH chief executive officer and president Craig Lambrecht wrote: "Although there is no indication that the information was misused, we have mailed notification letters to potentially-impacted patients to make them aware of the event and the steps they can take to protect their information.
"All notified patients are being offered complimentary fraud consultation and identity theft restoration services. In addition, the notification letters may also offer affected individuals 12 months of web and/or credit monitoring services at no charge, depending on what information was involved for that individual."
KRH uncovered the breach after learning that multiple employees had fallen victim to an email phishing scam, unwittingly providing their workplace email login credentials to threat actors.
Lambrecht wrote that after learning of the "highly sophisticated" attack, KRH immediately disabled the employees’ email accounts, notified federal law enforcement, and engaged digital forensic firm Kroll to launch an investigation into what happened.
Kroll found that unauthorized access to some patients’ information may have occurred as early as May 24. KRH advised patients to review account statements, report suspicious activity to the authorities, and, if necessary, place security freezes on credit files.
KRH employs more than 4,000 people across Kalispell Regional Medical Center, North Valley Hospital, and The HealthCenter and serves a population of 600,000.
Director of IT Melanie Swenson said that an annual threat assessment of KRH's IT system carried out by CynergisTek in autumn 2018 had ranked KRH as among the top 9% of healthcare organizations in the country for cybersecurity compliance.
With Yellowstone National Park, a thriving cowboy culture, and low levels of crime and pollution, Wyoming is well worth a visit, but the state's approach to protecting online privacy might dissuade some people from taking up residence.
Researchers evaluated each US state based on 20 key criteria, ranging from laws that govern how companies can use and disclose customer data to those that protect specific groups of people, including journalists, children, and employees.
Wyoming was found to meet just one of the 20 key criteria, which was that laws were in place to protect K–12 student information, such as grades and attendance records.
The Equality State stood out particularly for the lack of protection it offers journalists.
Researchers wrote: "While not all states have shield laws to protect journalists from exposing their sources, Wyoming is the only state that doesn’t even have a court precedent for doing so."
Wyoming's approach to protecting online privacy in the workplace in general wasn't great, with researchers noting that "companies are not required to dispose of users’ personal data after a set period of time, and employers are not barred from forcing employees to hand over passwords to social media accounts."
Idaho, Iowa, Pennsylvania, and Mississippi also fared badly in the study, with each of them meeting just 10% of the key online privacy criteria. In all of these states, companies and the government can retain users' personal data indefinitely without consequence.
Social media profiles are not protected from employers or schools under the law in Iowa, Pennsylvania, and Idaho.
At the other end of the scale, California met 75% of the online privacy key criteria and was the only state to mention an inalienable right to privacy in its state constitution.
The Sunshine State was also the only state to enact a law offering protection specifically to data gathered from the Internet-of-Things (IoT). The new law, which protects such data by ensuring manufacturers equip devices with appropriate security features, was passed in September 2018 and will go into effect in January 2020.