Data of over 2.6 million patients breached at Atrium Health- Comment

It has been reported that 2.65 million patients of Charlotte-based Atrium Health were recently hit with a data breach in which unauthorized parties gained access to their information.
Hackers attempted to lift patient information over a weeklong period from Sept. 22-29. The data was stored in a third-party system provided by AccuDoc Solutions Inc., which provides billing services to Atrium and about 50 other hospitals and health-care systems.
Commenting on the news is Javvad Malik, security advocate at AlienVault:
“It’s encouraging to see the forensic examination concluded that although the data was viewed, it was unavailable for download or exfiltrate the data. However, better detection controls could have prevented the attackers from going undetected in the system for over a week. 

 

The incident serves as a reminder that companies and providers across all verticals are attractive targets and no company should consider itself ‘too small’ or uninteresting to be a target.”

(39)

Share

Becrypt CEO Bernard Parsons on the Joint Committee’s National Security Strategy

Please see below comments from Bernard Parsons, CEO of Becrypt, on the Joint Committee’s National Security Strategy report. Bernard outlines some of the challenges that the NCSC is facing, the failure of self-regulation, and suggests how the UK Government can proactively approach cybersecurity.

“The Joint Committee on the National Security Strategy report does a great job in mapping out and summarising the extent of the challenge the UK faces, in ensuring appropriate cyber resilience within the Critical National Infrastructure (CNI).

“These challenges include defining and measuring cyber resilience, identifying the boundaries of the CNI and its supply chain, and developing the skills needed to keep pace with dynamic and constantly evolving threats. Whilst a significantly positive impact has been achieved in some areas, particularly by the National Cyber Security Centre (NCSC) with limited resources, the report suggests that a significant and creative change to the Government’s current approach is still required.

“The 2016 National Cyber Security Strategy formally recognised the failure of the market to self-organise. This remains true today, with the most advanced cybersecurity practices occurring where the greatest incentives exist, with the finance sector a prime example. Very different economic models play out in sectors such as energy, where it is the broader economy and citizens that stand to lose the most, in the event of a major cyber incident.

“Whist it may seem unpalatable, proposed mechanisms such as individual board member responsibility and the inclusion of cyber reporting within a revised Companies Act, may be the types of triggers that are necessary to create the focus within the private sector, which the Government needs, to be successful.”

(30)

Share

Uber fined £385k by ICO for 2016 hack

It has been reported that the ICO has imposed a fine of £385,000 on Uber for the 2016 breach. The fine comes courtesy of the Information Commissioner’s Office (ICO) which on Tuesday said that a “series of avoidable security flaws” allowed attackers to access the usernames, email addresses and phone numbers of around 2.7 million UK customers.

 

Commenting on the news are the following security professionals:

 

Tim Erlin, VP at Tripwire:

 

“The ICO has previously demonstrated a willingness to fine organizations in circumstances like this, though it remains unclear whether such fines make a material difference in the overall security across industries. While this incident pre-dates the GDPR, fines like these must now be viewed in light of the more expansive regulations that have come into force. It’s important to remember that GDPR isn’t the first regulation to address security and data privacy. GDPR is designed to harmonize and update a disparate set of regulations across the EU. While GDPR provides the framework for significant fines, they are maximums, not minimums. The actual fines levied will be situationally determined.”

 

Javvad Malik, security advocate at AlienVault: 

 

“The Uber fine shouldn’t come as a surprise to anyone that has been following the story. The company had inadequate protective and detective security controls. To make matters worse, the company tried to cover up the breach and paid money to keep things quiet, and in the process exposed its customers. While breaches are an unfortunate cost of doing business these days, it’s how a company acts in response that can make the difference between a large fine and a warning.”

 

Martin Jartelius, CSO at Outpost24:

 

“Taking into account the substantial impact of this breach and the way it was handled by Uber, this is also a good example of why GDPR is of importance to us all. We may not be protected from those recurring breaches, but customers and end users have a right to know when companies have failed to meet their obligation to protect our information.”

(45)

Share

Security of Remote Navy Ships Needs to be Taken Seriously- Comment

With recent news that BAE Systems is developing a new technology to enable Royal Navy ships in future to be controlled remotely, below is comment from Adam Greenwood-Byrne, CEO of RealVNC, the company that invented ‘virtual network computing’ technology used to connect over 1 billion devices by giants from NASA to Shell.

Adam explores why this news is a great step towards a connected society but also why security should be the first consideration in developing the programme.

Adam Greenwood-Byrne, CEO of RealVNC, comments:

“The news today that BAE Systems is developing a new technology to enable Royal Navy ships in future to be controlled remotely is a great step forward for innovation in AI and will take us one step closer to realising a truly connected society. However, while the focus on AI and AR fits well with the emerging tech stories we are seeing every day, there is a fundamental element missing that will support these developments.

“While a big priority of developers will be to roll-out these capacities quickly in order for the navy to benefit as soon as possible, it is vital that security is a major consideration due to the new points of vulnerability to consider, especially with cybersecurity threats now being a case of ‘if’ and not ‘when’. Remote access technology has come a long way from the ‘tool for the IT help desk’, to one that is essential for critical applications such as this.

“Therefore it is important that every aspect of security is taken seriously, from ensuring that the connection provided is secure, all the way to having cyber-skills available to remotely access ships in real-time and intervene in the case of an attack.”

(51)

Share

Lords to hear evidence on the role of digital forensics in the Criminal Justice System

Over two evidence sessions on Tuesday 27th November the House of Lords Science and Technology Select Committee will question forensic scientists from a variety of small and medium sized private providers, as well as the Metropolitan Police and the Chartered Society of Forensic Sciences, for its inquiry into the use of forensic science and its contribution to the delivery of justice.

In the first session, the Committee will explore the role of the Chartered Society of Forensic Sciences as a voice for the sector. It will also investigate the way in which different private providers view the current system of accreditation.

In the second session the Committee will explore what is being done to prepare for the increasing role of digital forensics and the level of understanding of digital forensic science within the Criminal Justice System.

The Session will begin at 3:25pm in Committee Room 4A of the House of Lords. Giving evidence will be:

  • Dr Anya Hunt, CEO, Chartered Society of Forensic Sciences
  • Mr Angus Marshall, Director and Principal Scientist, n-gate Ltd
  • Dr David Schudel, Forensic scientist, Keith Borer Consultant

Questions the Committee are likely to ask include:

  • Is the Criminal Justice System being equipped with robust, accurate and transparent forensic science?
  • What are differences between what forensic science provision is available to the prosecution and defence?
  • What are the risks of a market approach (for example what happens if a provider goes out of business) and what is the impact on admissibility, reliability and credibility of forensic science evidence?
  • What is the level of understanding of forensic science within the Criminal Justice System amongst lawyers, judges and juries?

The second session will begin at 4.25pm and the Committee will question:

  • Mr Mark Stokes, Head of Digital, Cyber & Communications Forensics Unit, Metropolitan Police
  • Dr Jan Collie, Managing Director and Senior Forensic Investigator, Discovery Forensics
  • Professor Peter Sommer, Professor of Digital Forensics, Birmingham City University

Questions the Committee are likely to ask include:

  • What is the level of understanding of digital forensic science within the Criminal Justice System amongst lawyers, judges and juries?
  • What role do technological solutions, such as machine learning, have in dealing with large amounts of data from digital devices?
  • How can the privacy of complainants and witnesses be protected, while also securing the necessary digital evidence for successful prosecutions, or exonerations?
  • Where are the gaps in research and understanding of digital forensic science?

(45)

Share

Taking the long view – why threat hunting should underpin strategic IT security

By Rick McElroy, Chief Security Strategist, Carbon Black

The US Navy SEALs have a well-known motto: “The only easy day was yesterday.” Taking a look at the latest intelligence on the UK cybersecurity landscape it can feel like we’re facing a future that will make the challenges of the past seem like halcyon days. Certainly, all the evidence indicates that the frequency, sophistication and severity of cyberattacks on UK businesses is rising exponentially. However, I believe that while we must accept that there’s no silver bullet for the constantly moving targets that are our cyber adversaries, we can start to build our strategy around proactive, not just reactive tactics, and use threat hunting to underpin our approach.

The latest Carbon Black UK Threat Report found that 92% of UK businesses had been breached in the past year, with 44% being breached multiple times. 82% reported seeing an escalating number of breaches and over a quarter of those said the number of attacks had increased by between 51% and 200%. 91% believed that attacks are becoming more sophisticated and, in another survey we ran, 64% of incident response professionals said they had seen attempts at secondary command and control and 46% found evidence of counter-incident response.

These figures show that cyber criminals are getting smarter and more persistent all the time – and they’re not just in it for a quick win. They’re playing the long game, seeking to establish a foothold in our networks in order to move laterally, island hop into to partner networks and launch future attacks to their own schedule. The Ponemon report on the cost of data security breaches found that on average infiltrators spend 191 days inside a network before they are detected.

While this is vastly undesirable, the fact that they’re already there gives us the opportunity to do more than simply playing a never-ending game of “whack-a-mole” at the network perimeter. We know that adversaries are inside our networks, so now we need to take a longer view and put some serious focus into hunting threats, anticipating potential attack vectors and making our network a less comfortable environment in which to exist over the long term.

We asked UK security professionals about how they are using threat hunting as part of their armoury. Two thirds of respondents said that they had conducted threat hunting in the past year and of those, more than 90% confirmed that threat hunting had strengthened their defences. Clearly this is a tactic that some organisations are already using to good effect.

What makes effective threat hunting?

Turning the tables on adversaries and starting to proactively hunt threats needs a different mind and skillset to pureplay cyber defence. Instead of standing on the watchtower, we’re delving into the shadows seeking signs of malicious activity and using all the forensic intelligence we can gather to understand the motives and tactics of our opponents and anticipate where attacks may be initiated.

We recently held a series of discussions with SecOps professionals in the UK and Europe and asked whether they felt threat hunters were born, not made. Do successful threat hunters naturally think differently to the rest of us, or can the necessary skills and attitude be taught? The consensus was that undoubtedly some individuals have particular talent in this area, but that the overall shortage of cybersecurity professionals (there’ll be an estimated shortfall of 350,000 in Europe by 2022) means that empowering existing teams to develop threat hunting skills will be essential. I strongly believe that given the right tools, a clear brief and the freedom to roam, there’s no reason why the organisation can’t mobilise its whole security team to threat hunt effectively.

In fact, embedding a culture of threat hunting across the organisation is really more important than having individuals assigned to the case. We don’t want to create silos, we want to be sharing intelligence and spotting patterns that make us a smarter, harder target for cybercriminals. And that goes across the industry, too, not just within companies. The cybercriminal community is fantastic at sharing intelligence, tools, tactics and procedures, but here on the other side of the fence we don’t seem to be able to get past the silos of competition.

The numbers game – outspent by a factor of ten to one…

Going back to our research, UK companies told us that they were anticipating only a limited increase in security budget spend – two thirds were expecting to see budgets increase by between 10 and 30%. In the face of the escalating threat landscape this is concerningly modest. While the corporate environment is naturally lean when it comes to budgets, it’s important to keep track of what the competition is doing.

In this case the competition – cybercriminals – are throwing the kitchen sink at developing new methods of attack and, given that this is their core line of business, I guess that’s to be expected. They’re spending around $1 trillion annually, against a global security spend of $96billion – a ratio of ten to one. It’s a profoundly unequal battle and it’s therefore not surprising that we’re seeing big increases in the number and severity of breaches. Assuming we’re unlikely to get a sudden budget injection on a $1 trillion kind of scale, we need to make sure every penny we spend on cybersecurity delivers solid ROI.

Investing in threat hunting is an important part of a maturing approach to strategic IT security. It demonstrates that your organisation is serious about lowering the amount of time adversaries spend in its network and limiting the risk to your partners from island hopping. As UK organisations are already finding, threat hunting strengthens defences and hardens attack vectors, so even if budgets are limited, I strongly recommend that threat hunting is on the menu. As an industry we need to get threat hunting working for us to start turning the tables on our adversaries. I’m not saying tomorrow will be easy, but we’ll be heading in the right direction if we start threat hunting today.

(86)

Share

Retailers acting quickly to fix flaws in software but code quality issues remain rampant

New Veracode State of Software Security report (SoSS) reveals 66% of applications suffer from information leakage flaws, the sector’s biggest threat 
Veracode’s latest State of Software Security report (SoSS) revealed retail is faster than most industries when it comes to addressing common vulnerabilities found in software. The global report found retail is second only to healthcare in its speed of shutting down flaws, which reduces risk exposure. 
However, two-thirds (66%) of current applications used by retailers are at risk from information leakage attacks, in which an application reveals sensitive data that can be used by an attacker to exploit the target web application, its hosting network, or its users. The retail sector reported the third-most information leakage issues behind the technology and financial services industries. 
Veracode’s report also investigated flaw persistence, or how long a flaw lingers after first being discovered. The report showed healthcare and retail are reducing their risk the fastest, with the retail sector remediating a quarter of vulnerabilities in 14 days and 50 percent of flaws in 64 days. In fact, retail outpace the average speed of fix at every interval across all industries, meaning the sector remains consistent with its urgency in closing vulnerabilities. 
Even as it is making strides reducing risk, retail recorded the highest amount of code quality flaws of all other verticals at 65 percent. Code quality is the third most common vulnerability category in all industries, following information leakage and cryptographic issues, suggesting this is an industry-wide dilemma with developing quality code.
“In the wake of GDPR, it’s vital that retailers have visibility into risk associated with code flaws,” said Paul Farrington, Director of EMEA and APJ at Veracode. “With the busy holiday shopping season arriving, vulnerabilities in applications can allow attackers seeking sensitive information such as consumer payment data a way in. Many retailers are showing an aptitude for remediating flaws quickly to help improve security and protect their high value information. This is promising, yet the persistence and prevalence of vulnerabilities that continues to plague retailers calls for both increased speed of fix and better prioritising which flaws to fix first.” 

(69)

Share

Mastercard accredits FIME for biometric evaluation services

Device manufacturers and solution providers can now demonstrate the quality of fingerprint sensors for strong customer authentication

FIME has been accredited by Mastercard to deliver biometric authentication testing services for fingerprint in line with its new guidelines for mobile device sensors. The testing evaluation program enables mobile, wearable and sensor manufacturers to test the performance and accuracy of mobile fingerprint sensors. This enables financial service providers to easily evaluate the hardware and software integrated into devices and have confidence in the quality of the products that are integrating with their payment solutions.

Goode Intelligence’s second Biometrics for Payments report found that biometrics has become an important tool in the fight against fraud in almost all of the channels that payment is supporting. The report predicts that there will be over 2.6 billion biometric payment users by 2023, driven by desire for more frictionless authentication, fraud reduction, regulation, and standardization.

Mastercard’s program provides dedicated hardware performance testing to scrutinize the quality of solutions’ matching engines. Vendors and service providers can make use of FIME’s consulting, training and testing services to launch reliable mobile payment solutions.

Stephanie El Rhomri, FIME:

“Biometrics have taken the payments world by storm in recent years, delivering consumers greater convenience and security,” comments Stephanie El Rhomri, Vice President of Services at FIME. “But in a post-PSD2 and GDPR world, players across mobile and payments are increasingly understanding the importance of performance and quality to ensure customer adoption of new secure authentication solutions. We’re proud to be championing this evaluation program, the first of its kind to be fully ISO-compliant, as we continue to support the ever-expanding role of biometrics in payments.”

To find out more about how FIME can support your projects, contact your local office https://www.fime.com/contact-us/global-offices.html.

(40)

Share

Are England and Wales falling behind Scotland and Northern Ireland in the delivery of forensic science? Lords to hear evidence

On Tuesday 20th November the House of Lords Science and Technology Select Committee will question witnesses from the Forensic Service Northern Ireland, the Forensic Science Leadership Board of Northern Ireland and the Scottish Police Authority Forensic Services to assess whether the use of forensic science in Scotland and Northern Ireland is more effective in its contribution to the delivery of justice than in England and Wales.

Forensic science is arranged differently in Scotland and Northern Ireland compared to England and Wales. The Committee will hear how the system works in these nations and its benefits and limitations. The witnesses will also be asked for their views on the sustainability of the market for forensic services in England and Wales.

The Session will begin at 3:25pm in Committee Room 4A of the House of Lords. Giving evidence will be:

  • Tom Nelson, Director of Forensic Services, Scottish Police Authority
  • Stan Brown CBE, Chief Executive, Forensic Science Northern Ireland
  • Anthony Harbinson, Forensic Services Leadership Board of Northern Ireland

Questions the Committee are likely to ask include:

  • Where are the gaps in research and understanding of forensic science from your experiences within forensic service provision?
  • What are the challenges to collaborating with researchers from the university sector?
  • Are there current or anticipated skills gaps in forensic science?

(55)

Share

Raspberry Pi introduces $25 Raspberry Pi 3 Model A+ to meet industry ‘sweet spot’ of price, performance and size

A new $25 Raspberry Pi 3 Model A+ has been released, which sits between the entry-level $5 Raspberry Pi Zero and the high-end $35 Raspberry Pi 3 Model B+ in terms of price, functionality and size.
Model A+ features the same 1.4GHz 64-bit quad-core ARM Cortex-A53 processor and dual-band 2.4GHz and 5GHz wireless networking as Model B+, but omits wired Ethernet connectivity and has half the memory capacity. At 65x56mm, its compact footprint makes it ideally suited to applications such as robotics, where both size and performance matter. The $10-per-unit saving compared with Model B+ means that mass deployments in factory automation, industrial monitoring and process control will realise significant cost savings.
The dual-band wireless LAN comes with modular compliance certification, which allows the board to be designed into end products with significantly reduced compliance testing, improving both cost and time to market.
Eben Upton, CEO of Raspberry Pi (Trading), said, “The new Raspberry Pi 3 Model A+ hits the sweet spot between the Raspberry Pi Zero and the Raspberry Pi 3 Model B+. For industrial users who do not require the wired networking and 1GB of RAM offered by its larger sibling, Model A+ will deliver the required functionality but at a lower unit cost: when you’re buying in bulk that’s going to make a big difference.”
Find out more at www.raspberrypi.org

(43)

Share