Killer hackers from North Korea!

Killer hackers from North Korea!

Imagine if you will, life in the post-apocalyptic world where the army of North Korean hackers have laid waste to humanity. The survivors live in the smoking craters that were once great cities and the last remnants of humanity fight for scarce resources against the race of mutated rats that have risen up after vats of Twinkie filling were released into the sewage system as part of a cyber attack…sweet merciful $deity I can’t even keep this up.

Today the BBC ran a piece about a North Korean defector that came to the west with tales of an elite hacker army of 6000 highly trained tool punks in the isolated county called Bureau 121. While I don’t doubt that they have some sort of group that engages in this sort of activity I can’t help but guffaw at the following,

From BBC:

“The size of the cyber-attack agency has increased significantly, and now has approximately 6,000 people,” he said.

He estimated that between 10% to 20% of the regime’s military budget is being spent on online operations.

“The reason North Korea has been harassing other countries is to demonstrate that North Korea has cyber war capacity,” he added.

“Their cyber-attacks could have similar impacts as military attacks, killing people and destroying cities.”

“Killing people and destroying cities”, got it. No sense of hyperbole there. Nope, not a shred. While I’m chuckling I realize that this is a person who has spent their life in an Orwellian state where the media is complete controlled. So, take it with the requisite amount of salt that it is due.

What Professor Kim does mention is a Stuxnet style attack. Strip away the hyperbole and rhetoric and what you have left is a plausible problem. Having spent just under a decade in power systems it comes as no surprise that these systems are susceptible to attack.

This serves as an excellent reminder that defenders need to be ever vigilant in their defence of control systems…well, and basically any network for that matter. The reason that glorified tool punks can finance their beanie boo collections is that there is a real short fall on patching and perimeter defence by organizations that need to do a better job of shoring up their protection.

Organizations need to do a better job of not acting like a guard on a tower saying “go away or I will taunt you again” and spend more time making it such that an attack against infrastructure won’t be successful. Don’t fall victim to the next, next, next attack and find yourself standing in the smouldering ruins of what was once a great society.

This article was written by Dave Lewis from CSO and was legally licensed through the NewsCred publisher network.

Red Bull scam will give your bank account wings

Red Bull scam will give your bank account wings

Most of the time, my spam folder sits unattended, filling up with unsolicited ads, bot-generated junk and phishing scams. The messages sit for a few days and are eventually trashed without eyes ever laid upon them. But occasionally I’ll pop over there to clear it out on my own, and when I do, I feel like a child on Christmas morning. So many fraudulent treasures and treats for my security-hardened eyes to feast upon!

Sometimes I will pick through and laugh and then delete. Other times I may forward one or two to my colleague, CSO Senior Writer Steve Ragan, to share a chuckle and then see what else he can dig up on the criminals. Today I received one scam that I just can’t resist bringing straight to you myself.

The subject line read “Red Bull job offer” and it claimed it was offering me the opportunity to make $600 a week simply for allowing Red Bull to place marketing decals all over my car.

Here’s a snippet of the message, unedited by me:

 Hello,

We are currently seeking to employ individual’s world wide. How would you like to make money by simply driving your car advertising for RED BULL.

How it works?

Here’s the basic premise of the “paid to drive” concept: RED BULL seeks people — regular citizens, professional drivers to go about their normal routine as they usually do, only with a big advert for “RED BULL” plastered on your car. The ads are typically vinyl decals, also known as “auto wraps, “that almost seem to be painted on the vehicle, and which will cover any portion of your car’s exterior surface.

Wow! What a great offer for a “regular citizen” like myself, huh?

Aside from all of the glaringly awful grammar and punctuation mistakes, I couldn’t help but be intrigued. Give up my day job as Editor-in-Chief of CSO to simply drive my car around? I’m sold!

But just to be sure, before I tender my resignation and sign on with Red Bull, I decide to do a little poking around. It turns out this scam has been making the rounds in inboxes around the country for a few years. And rather than receive hundreds of dollars for driving around in a tacky, decal-emblazoned car, apparently victims who fall prey are instead treated to an empty bank account.

Darn!

Here’s the gist: The scammers “offer” their victim hundreds of dollars a week to adorn their car in Red Bull decals and drive around. The scam kicks in when the person bites and they are sent a check – typically around $1500. The victim is instructed to cash it and then send a money order to a “decal wrapping company” which the criminals claim will go to your house and adorn your car with Red Bull decals. Of course, the check is bogus and the person who cashes it gets nothing, and loses out on any money sent to the fake wrapping company.

Red Bull is aware of the scam and even has an email address where you can report these fraudulent emails if you receive one.  It appears the scam has fooled many folks around the country because a quick search on Google reveals several people who have reported becoming victims to local news channels.

So, while I wont be giving up my day job anytime soon to become a Red Bull advertiser, I am reminded of a valuable lesson: If it seems too good to be true, it probably is.

Remember to always question offers and other types of requests for information over email – even those that seem legitimate. For more tips on recognizing email scams, check out our How to spot a phishing email guide.

This article was written by Joan Goodchild from CSO and was legally licensed through the NewsCred publisher network.

The unrelenting danger of unpatched computers

Why cybersecurity needs to be adaptive

Securing the enterprise is getting harder and harder. Infrastructure is rapidly becoming virtual, applications and workloads are moving to the cloud, endpoints are largely the property of the worker, and mobility has now become the norm. Add in the fact that businesses are rapidly becoming digital organizations where the reliance of IT is at an all-time high, and it’s easy to see why a security breach today is exponentially more damaging than just a few years ago.

However, despite the evolution of servers, networks, and storage, security really hasn’t kept pace and evolved along with the rest of IT. Security is fighting the good fight, but they’re working with Stone Age tools. It’s like in the Star Trek Original Series episode, The City on the Edge of Forever, where Kirk ordered Spock to construct a “mnemonic memory circuit using stone knives and bearskins.” No matter how smart the team is and how hard they work, security teams can’t keep up because the security technology hasn’t evolved.

The recent breaches into these high-profile organizations have made many business, IT, and security professionals question how they can keep up with a threat landscape that seems to be growing exponentially. After all, if those businesses can’t protect themselves with the amount of time, money, and people they throw at security, what chance do other organizations have to protect themselves from hackers? The fact is, they don’t. In fact, based on track record, the big brands that overspend don’t either.

One of the problems is that IT has changed so much over the past decade, whereas security really hasn’t. A decade ago, perimeter-centric security was sufficient as there was a single ingress/egress point for information moving into and out of the organization. A combination of firewalls, intrusion detection/prevention devices, and other edge devices were used to protect the perimeter. Today, everything has changed. Workers bring in personal devices that are used everywhere, including highly insecure public Wi-Fi, and then bring them into “secure” environments. Also, hackers are getting smarter. Why go through hours and hours of writing malware to break through a firewall when instead a hacker can get around it? As an example, a well-known retailer was breached when a partner network was hacked and gave access to the point-of-sale systems. Like most businesses, the retailer felt the partner network was secure and the connection was considered a “trusted” network. The flaw in the thinking was that trusted networks and systems just don’t exist. They never have, but they are now becoming entry points for hackers.

Another factor is just how the nature of IT has changed. More and more applications are moving to the cloud, causing businesses to allow branch offices to directly connect to the internet. Also, the number of workloads (virtual and bare-metal servers) is at all-time high. Migrating those workloads can also distribute malware to different parts of the environment. Public cloud services and software defined networking has certainly increased the agility of computing operations, but it can potentially increase the speed at which malicious traffic propagates throughout workloads.

The reality is that the attack surface that can be infected is exponentially larger today than it was just a few years ago, and it will continue to grow at that rate. Additionally, when a breach occurs, the “blast radius” of the attack can be enormous as so many systems are tied together today.

As the Internet of Things becomes more widely adopted and businesses continue to introduce more and more devices to the network, the level of complexity will continue to grow at a rate faster than security departments can keep up with. Adaptive security can mirror the environment and spin up, spin down, migrate, and evolve as things change.

I believe we’re just starting to see the evolution of security to be more agile, adaptive technology. This should finally give businesses a fighting chance to keep up with the bad guys.

This article was written by Zeus Kerravala from NetworkWorld and was legally licensed through the NewsCred publisher network.

IRS cut its cybersecurity staff by 11% over four years

IRS cut its cybersecurity staff by 11% over four years

The Internal Revenue Service, which disclosed this week the breach of 100,000 taxpayer accounts, has been steadily reducing the size of its internal cybersecurity staff as it increases its security spending. This may seem paradoxical, but one observer suggested it could signal a shift to outsourcing.

In 2011, the IRS employed 410 people in its cybersecurity organization, but by 2014 the headcount had fallen by 11% to 363 people, according to annual reports about IRS information technology spending by the U.S. Treasury Department Inspector General.

Data from the 2011 edition of the U.S. Treasury Inspector General’s Annual Assessment of the Internal Revenue Service Information Technology Program. MITS stands for the IRS’s Modernization and Information Technology Services Division.

Despite this staff reduction, the IRS has increased spending in its cybersecurity organization. In 2012, the IRS earmarked $129 million for cybersecurity, which rose to $141.5 million last year, an increase of approximately 9.7%.

This increase in spending, coupled with the reduction in headcount, is an indicator of outsourcing, said Alan Paller, director of research at the SANS Institute. Paller sees risks in that strategy.

“Each organization moves at a different pace toward a point at which they have outsourced so much that the insiders do little more than manage contracts, and lose their technical expertise and ability to manage technical contractors effectively,” said Paller.

Data from the 2014 edition of the U.S. Treasury Inspector General’s Annual Assessment of the Internal Revenue Service Information Technology Program. MITS stands for the IRS’s Modernization and Information Technology Services Division.

An IRS spokesman was not able to immediately answer questions about the IRS’s cybersecurity spending.

There is no apparent connection between IRS technology budget, staffing levels and the recently revealed data breach. The thieves used individual data, such as Social Security numbers collected from non-IRS sources, to access IRS records. The IRS has described the attack as “sophisticated” and it’s now under investigation.

This breach is drawing congressional scrutiny. On Tuesday, U.S. Senator Orrin Hatch (R-Utah), who heads the Senate Finance Committee, called the breach “unacceptable.”

The IRS’s total IT budget in 2014 was $2.5 billion, an increase from the prior year’s $2.3 billion, with 7,339 employees last year, little change from 7,303 reported in 2013.

The agency’s IT budget has fared better than the agency overall. Congress has been cutting spending at the agency. IRS funding has been reduced by $1.2 billion over the last five years, from $12.1 billion in 2010 to $10.9 billion this year. An IRS official told lawmakers earlier this year that the budget cuts have delayed critical IT investments of more than $200 million, which includes replacing aging IT systems.

“We still have applications that were running when John F. Kennedy was president,” said IRS commissioner John Koskinen earlier this year. He warned that the failure to upgrade systems exposes the IRS to “to more system failures and potential security breaches.”

The Center on Budget and Policy Priorities, a non-partisan research group, reported in April that the IRS budget had been cut 18% since 2010, when adjusted for inflation. Its headcount has declined from more than 94,000 to just above 81,000 over that period.

Positive signs for the future of cybersecurity

Positive signs for the future of cybersecurity

We often talk about the enormous challenges facing IT departments around the world. The consumerization of IT, driven by the BYOD trend and coupled with mobility, has given birth to a wide range of serious security threats. As the enterprise increasingly relies on the cloud to provide software, infrastructure, and platforms as services, safeguarding valuable company data is an entirely different prospect than it was even just a decade ago.

But for all the hurdles to overcome, there is mounting evidence that businesses no longer have their heads buried in the sand — or stuck in the cloud! There’s a growing realization that cybersecurity requires budgetary commitment, sincere collaboration, and a solid stratagem. If the enterprise can pull together, with government backing and the right expertise, we can build a bright future that’s secure from cybercriminals.

Money, money, money

We’re not going to solve the problem by throwing money at it, but it certainly helps, and it’s also indicative of a deeper understanding of the underlying threats and potential costs of a data breach.

The Ponemon Institute found the average cost of a data breach in 2014 was $3.5 million, a 15% increase from 2013. The enterprise is starting to realize that it’s an awful lot cheaper to provide a proper budget for security now than it is to pay through the nose later.

Companies are growing more aware of threats, and this is leading to a greater allocation of resources. Gartner estimated that worldwide information security spending rose 7.9% last year, reaching a total of $71 billion, and it’s set to grow another 8.2% this year to hit $77 billion.

According to the 2015 Piper Jaffray CIO Survey, security is the top spending priority for CIOs in 2015, just as it was in 2014. An impressive 75% of respondents expect to increase security spending this year, and that comes on top of an average 2% growth in annual IT budgets.

Government backing

The U.S. Government is also weighing in. President Obama identified cybersecurity as a priority in his budget and asked for $14 billion to boost defenses for 2016. That’s an increase of $1.5 billion compared to this year, and it includes funds for a Civilian Cyber Campus intended to bring agencies together to focus on cybersecurity issues. That spirit of collaboration extends to the private sector.

The White House summary stated, “Cyber threats targeting the private sector, critical infrastructure and the federal government demonstrate that no sector, network or system is immune to infiltration by those seeking to steal commercial or government secrets and property or perpetrate malicious and disruptive activity.”

With greater pooling of resources and sharing of knowledge, threat identification and neutralization will become easier and more efficient. There’s strength in numbers. 

Proper planning and education

You need resources to build security, but budgets must also be allocated wisely. When we looked at what the military can teach us about cybersecurity, we identified the need for proper planning and a system to enforce policy rules. Buying an expensive piece of security software or employing consultants to provide a snapshot of your security health is not going to be enough. You need an ongoing plan and expertise.

Thankfully, more and more knowledge is starting to filter through into the private sector, as experts from the military, the FBI, the NSA, and the Department of Homeland Security move into business and share their insight and best practices.

More businesses are starting to understand the value in educating their own workforces on security. Establishing programs to ensure that staff are aware of vulnerabilities and the potential for cyberattacks is important. Companies can leverage much greater value from existing security systems and polices by teaching staff good habits, and it’s also important that they understand the potential impact of a breach.

Rowing together

Looking beyond cybercriminals to the threat of nation-sponsored attacks, it makes sense for all of us to pull together. If the government and the private sector truly collaborate, we will see a decline in the threat level. The first stage was to recognize the level of the problem, and the scale of recent breaches has opened a lot of eyes. Now it’s time to work with each other to build ourselves a secure future. In tech we trust!

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.

This article was written by Michelle Drolet from NetworkWorld and was legally licensed through the NewsCred publisher network.

10 security mistakes that will get you fired

Employees know better, but still behave badly

Four out of five employees admitted to engaging in some risky behaviors while at work, even though they were aware of cyber-security dangers, according to a new global survey.

The risky behaviors included viewing adult content on work devices, opening emails from unknown senders, downloading apps from outside the official app stores, installed new applications without IT approval, used social media for personal reasons, or used their personal mobile devices for work.

In a survey of 1,580 respondents, only 20 percent said they’ve never engaged in these behaviors, according to a new study from UK-based technology market research firm Vanson Bourne.

ALSO ON CSO: The things end users do that drive security teams crazy

“We’re not seeing any changes in the way the average person makes risk choices,” said Hugh Thompson, CTO at Blue Coat Systems, a cloud computing security vendor and the company that sponsored the study. “I don’t think we’ll be able to educate our way out of this problem.”

Ironically, employees working in the IT sector were among the worst offenders, with only 12 percent saying that they had not engaged in any of these risky behaviors, second only to charity and non-profit employees, at 5 percent.

Meanwhile, IT employees had above-average scores for being aware of the risks of these behaviors.

The highest level of awareness, overall, had to do with opening attachments from unknown sources and viewing adult content on work devices. On average, 73 percent of respondents rated each of these behaviors it was risky or seriously risky.

Only 2 percent said that opening attachments from unknown senders posted no risks, and only 3 percent said the same about adult content.

However, 20 percent admitted to opening those attachments, and 6 percent to viewing adult content at work.

In other results, 65 percent of respondents knew that using unsanctioned applications was risky or seriously risky, 62 percent said the same for downloading apps from third-party app stores, 55 percent for clicking on video links on social media sites, 46 percent for using social media for personal reasons at work, and 40 percent for using personal mobile devices for work.

However, 26 percent installed unsanctioned applications, 23 percent downloaded risky apps, 31 percent clicked on video links, 41 percent used social media, and 51 percent used personal devices at work.

“I think that in my heart, I have a fundamental belief in education,” said Thompson. “That when people know, they’ll change behavior. It’s weird to see how people approach risks. There’s a massive amount of recidivism despite education.”

Thompson suggested that companies put mechanisms in place to remind employees of the risks, or to mitigate the risks if behaviors still happen.

“We have to get pretty good in the security industry and the technology industry at creating compensating controls for protecting people behind the scenes,” he said.

He also suggested that companies look for creative ways to signal that a particular behavior is risky.

“This is a rich area of research for the security space,” he said.

This article was written by Maria Korolov from CSO and was legally licensed through the NewsCred publisher network.

Superfish stumper: What did Lenovo know and when did it know it?

Can you answer these 4 questions about your network security policies?

Network security doesn’t have to be expensive, and it doesn’t have to be complicated. Yes, there are lots of excellent products, service and consultants ready to help improve your network security, and yet that shouldn’t be the first place an organization goes to prepare against hackers, insider threats, data loss and malware. Fancy new technologies won’t help if you’re not focusing on the roots of good cybersecurity. Let’s talk about some of the most important questions that people rarely ask about cybersecurity, perhaps because they seem so simplistic.

We all know that it doesn’t matter how good a home security system is if someone leaves the garage door open overnight — and a pricey car alarm doesn’t help if the keys and clicker are left in the ignition, and the car window’s open.

Here are four questions that reflect a foundation of security management. Your answers may help set the foundation of a solid security posture.

1. Are the network’s security policies up to date? 

Creating a a comprehensive security policy can be a nightmare. Endless meetings with stakeholders. Wheeling and dealing between IT and line-of-business management. Striking and re-striking the fine line between approving a policy that’s overly broad, and specifying so many minute details that the policy becomes too hard to implement. Not only that, but there are pressures to make policies as broad as possible to provide the least inconvenience to employees (and their managers who don’t have patience for such matters).

Like someone who buys a snazzy new smartphone only to see its twice-as-cool replacement announced the next day, once security policies are finished, those policies are almost immediately out of date.

Applications become decommissioned – and yet the application’s access ports remain active. New use cases are brought before the IT department. New on-premise applications go online, while some line-of-business departments write shadow contracts with cloud services providers. Are those covered by the security policy? Painful though it may be, security policies must be kept up to date, not only through regular reviews, but also by a process of actively amending the policy before security configurations are changed.

2. Are security configuration changes driven by security policy?

Continuing in that vein, there are myriad areas where security-related configuration changes are applied on a network. Firewalls and Intrusion Detection/Prevention Systems (IDPS) like those from Cisco or Wedge Networks are one area; change management systems like those from AlgoSec or Firemon are another.

There’s more to network security, though, than firewalls. Organizations need to configure policies on servers like Oracle or Microsoft Exchange; identity systems including Firebase or Okta; network routers and Wi-Fi access points; Virtual Private Network (VPN) servers, cloud-based applications like HubSpot or Salesforce.com; and of course, on-premises file and application servers.

Beyond routine moves, adds and changes to accommodate new employees or projects, changes to security settings in any of those areas should be policy-driven. When an application comes online, goes offline, or moves to another security zone on the network, the first step should be to document it within the security policy, while checking for conflicts or contradiction. Then, and only then, once changes to the policy are understood and approved, should administrators be allowed to make changes to firewalls, access control lists, Virtual LAN (VLAN) configurations, and so-on.

3. Is automation doing the heavy lifting for repetitive and sensitive tasks?

OK, say the network access security policy has been updated for new applications, and the changes are approved. Whoops — an administrator charged with implementing the necessary changes in 23 firewalls made a goof with one of them. Maybe the wrong rule was changed. Perhaps the right rule was changed but incorrectly. Either way, there will be consequences.

One consequence might be that an application fails or users are not able to access critical applications. It may take some time to find the root cause of that trouble ticket, but ultimately the problem will be resolved. A more severe consequence might be new security vulnerability that might leak data or allow network penetration. You may never find that error.

The solution: automation. By using automated tools to implement security policy changes across hardware, software and infrastructure, you have much greater assurance that the correct changes have been made. Not only can administrators review logs to ensure that every change has been implemented correctly, but the automation package can signal when a change has failed. In many cases, the automation system can periodically compare device settings against the security policy, document where there is a deviation from the policy, and then remediate the situation. Through automation, policy truly can drive security implementation.

4. Is somebody watching the watchers? 

Accidental misconfiguration of security settings on firewalls, routers, and application servers can be costly, especially if they introduce an unexpected security vulnerability. What if the misconfigurations aren’t accidental? While I’m not casting aspersions on your IT staff, it’s not difficult for a skilled administrator to open a back door into a network. That’s risk nobody can afford.

One of the best solutions, as mentioned above, is automation. If humans aren’t allowed to manually change security parameters or even touch the settings directly, it’s much more difficult to make harmful mistakes or sabotage network defenses. Still, malicious users with escalated administrative privileges can still cause mischief.

What’s needed: Tamper-proof logging of all changes to hardware, software and security profiles, with the logs locked away from all administrators with permissions to make network changes. After all, we don’t want someone changing or deleting logs. Another active approach is to set up alerts to upper management whenever security permissions are changed, so that they can respond immediately if such changes are not authorized. In this case, transparency is the best policy.

And the answer is….?

In the never-ending quest for a more secure network, it’s enticing to keep looking to new tools and technologies. Certainly we need cutting-edge resources to deter DDoS attacks, determined hackers, and insider data theft. That’s only part of the story — the other part is to make sure that our security policies and IT teams are taking care of the fundamentals. Before you send out the next RFP to a security consultant, make sure that you’ve answered those four questions first.

This article was written by Alan Zeichick from NetworkWorld and was legally licensed through the NewsCred publisher network.

Iran claims to foil cyber attack on its oil ministry

Iran claims to foil cyber attack on its oil ministry

Tehran: Iran said on Tuesday it had foiled a cyber-attack on the country’s oil ministry, and that those behind the hacking attempt were based in the United States.

The Fars news agency cited Brigadier General Kamal Hadianfar, head of the cyber police, as saying the unit had thwarted “the hackers’ attack on the oil ministry”.

He said the source of the attempt was in the United States, and that the US authorities had been informed.

“The IP address for these hackers was in America,” he said, adding that “an international judicial order” had been sent to the United States, without elaborating.

Hadianfar said the hacking attempt took place over a four-day period at the start of the new Iranian year which began on March 20.

Iran’s nuclear programme was the target of a 2010 cyber-attack by the Stuxnet virus, in a hack Tehran blamed on both the United States and Israel.

A February report by Russian security firm Kaspersky Lab spoke of a powerful cyber-spying tool that can tap into millions of computers worldwide through secretly installed malware, with many signs pointing to a US-led effort.

© Muscat Press and Publishing House SAOC 2015 Provided by SyndiGate Media Inc. (Syndigate.info).

This article was written by Afp from Times of Oman and was legally licensed through the NewsCred publisher network.

Depuis les attentats contre Charlie Hebdo et un magasin casher début janvier en France, les cyber-attaques se sont multipliées contre toutes sortes de cibles

Iran says it foiled US cyber attack on oil ministry

Iran said on Tuesday it had foiled a cyber-attack on the Islamic republic’s oil ministry, and that those behind the hacking attempt were based in the United States.

The Fars news agency cited Brigadier General Kamal Hadianfar, head of the cyber police, as saying the unit had thwarted “the hackers’ attack on the oil ministry”.

He said the source of the attempt was in the United States, and that the US authorities had been informed.

“The IP address for these hackers was in America,” he said, adding that “an international judicial order” had been sent to the United States, without elaborating.

Hadianfar said the hacking attempt took place over a four-day period at the start of the new Iranian year which began on March 20.

Iran’s controversial nuclear programme was the target of a 2010 cyber-attack by the Stuxnet virus, in a hack Tehran blamed on both the United States and Israel.

A February report by Russian security firm Kaspersky Lab spoke of a powerful cyber-spying tool that can tap into millions of computers worldwide through secretly installed malware, with many signs pointing to a US-led effort.

Iran has also been accused of developing its own cyber espionage capability.

US National Intelligence Director James Clapper in February blamed Iran for a cyber attack on Sands Casino in Las Vegas that stole confidential data and shut down many of the casino’s operations.

The assault came after the billionaire owner of Sands, Sheldon Adelson, said in 2013 that “Iran should be nuked”.

And last December, US cyber-security firm Cylance said Iran-based hackers had been engaged for two years in an operation dubbed “Cleaver”.

Cylance researchers said the effort has “conducted a significant global surveillance and infiltration campaign”.

They said targets include government networks as well as companies involved in military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace and other sectors.

The report said the campaign appeared to be retaliation for the Stuxnet virus.

This article was from Agence France Presse and was legally licensed through the NewsCred publisher network.

Health IT Success Hinges on CIO-Business Collaboration

CareFirst breach demonstrates how assumptions hurt healthcare

Last week, CareFirst BlueCross BlueShield (CareFirst) reported a data breach that was initially discovered last year. When the incident was first noticed, the company assumed they had taken care of the problem – only to learn that wasn’t the case ten months later.

The healthcare sector has taken center stage in the recent months as criminals shift from retail and finance towards easier targets. Unfortunately, most healthcare organizations are operating under a number of flawed assumptions concerning security and it’s starting to cause serious problems.

Premera Blue Cross and Anthem were both targeted by attackers using similar methods and tactics (Phishing / typo squatting), but in each case the attackers were detected, enabling both firms to activate incident response and deal with the fallout of having tens of millions of records exposed.

However, during the CareFirst incident, while the attackers were detected, the company assumed their actions were enough to contain the threat and did nothing further.

That’s the key difference. Premera and Anthem didn’t make assumptions after detection, unless you count assuming the worst and kicking off incident response immediately. Yet, they did assume the level of security on their network was sufficiently able to protect data from a variety of attackers.

CareFirst made security-related assumptions of their own and followed them with an assumption that the detected attack was the only thing wrong on the network. In each of the three cases, the assumptions were wrong and tens of millions of records were exposed because of it.

In a statement, CareFirst said at the time it was believed they “had contained the attack and prevented any actual access to member information.”

It wasn’t until the company performed a security audit several months later in the wake of the Anthem and Premera breaches that the full scope of the attack was discovered by Mandiant.

“I think that we can generally observe that Anthem, Premera, CareFirst (and presumably many other healthcare enterprises) have made some assumptions about the level of security investment and capability that they need to adequately deal with the risk to their critical assets and patient data,” commented Eric Cowperthwaite, the VP of advanced security and strategy for Core Security.

Cowperthwaite, the former CISO of Providence Health, is familiar with the security struggles the healthcare industry faces on a daily basis, plus the fact the threat landscape itself has changed dramatically over the last few years.

CareFirst isn’t the only company making serious assumption-based miscalculations, but this incident offers a clear lesson – at least on a strategic level – to other healthcare organizations; they need to review their security posture and address the types of assumptions being made before it is too late.

“At a tactical level, [Anthem, Premera, and CareFirst], appear to have made assumptions about the adversaries and their capability that is not in line with reality. In general, most people have a very difficult time adjusting their perception of reality to a changed reality. We are beginning to see healthcare getting a wake-up call. It will be interesting to see how long it takes them to adjust to their new reality.”

According to reports from BitSight, healthcare has lagged behind on security when compared to other industries (including retail) due to the volume of security incidents and slow response times.

“Health care companies have often been more willing to accept those risks because of a mistaken belief that ‘the hackers are after credit card numbers, not electronic health records,” commented John Pescatore, director of emerging trends at SANS Institute, during an interview earlier this month with CSO Online.

The reality is the exact opposite.

Healthcare data is extremely valuable to criminals, as it can be re-packaged and sold for a number of different criminal campaigns.

According to a recent Ponemon study, the value of medical records is why criminal attacks have grown 125 percent over the last two years, surpassing accidents as the top source for breaches in healthcare.

It’s true, assumptions hurt CareFirst. But the larger picture is that assumptions hurt everyone in the healthcare sector too, because the days of saying there’s nothing on the network of interest to criminals, or a single logged event is the total scope of a given incident is long gone.

This article was written by Steve Ragan from CSO and was legally licensed through the NewsCred publisher network.