Categories
Computer & Network Security

What You Can Learn From SolarWinds – The hack That “Blindsided” The US Cyber Command

Security firm CrowdStrike revealed “the worst U.S. cyber attack in years” last December, according to Reuters.

Suspected Russian hackers penetrated major IT management software provider SolarWinds as early as September 4, 2019, spreading to more than 3,000 of the firm’s clients. Such clients included many Fortune 500 companies and high profile organizations, like Microsoft, Cisco Systems Inc, the US Department of Homeland Security, and the US Cyber Command.

Cybersecurity experts say the depth and breadth of this incident calls into question status quo cybersecurity practices across the world. Once penetrated, organizational networks are much more difficult to secure again. Recovering from the attack may take years, according to Tom Bossert, former President Trump’s homeland security officer.

Here’s what happened, and what you need to know to prevent future compromise.

How the Hack Turned Elite Organizations’ Security Practices Against Themselves

In Fall 2019, hackers penetrated SolarWind’s network management tool, Orion, inserting the SUNBURST malicious code. The company unwittingly pushed updates containing the compromised code that ripped backdoors into their client’s IT systems, into which hackers installed even more malware to further their surveillance efforts.

Compromising Orion wasn’t the end goal, though. Instead, the backdoor was used to access SolarWinds’ SAML-tokens, which transmit sensitive data— like usernames and passwords—in concert with the SSL encryption protocol.

From there, hackers entered their networks through forged security certificates. After that, hackers were able to quickly move laterally throughout the network, escalating their privileges and compromising any number of systems under that network’s umbrella.

What The hack Tells Us About Modern Cybersecurity Practices

The incident reveals the weaknesses of current cybersecurity practices, commonly referred to as the “castle and moat” approach, where a premium is placed on perimeter security. The model’s lack of rigorous user access controls is frequently exploited by hackers, who usually exploit easy points of entry and escalate administrative privileges.

This attack effectively illustrates the need for zero-trust security architecture.

What’s zero trust?

It’s basic premise: “never trust, always verify.” That means securing access to networks through a process of authentication of the user’s machine, authorization of the user behind the device, and the verification of user’s security credentials.

Additionally, zero trust mandates that access to sensitive resources are granted on a least-privilege basis, in other words ensuring access only to staff that absolutely need a given resource.

Finally, rigorous logging is employed to track all traffic through specific inspection points to help enforce least-privilege access rules.

How Zero-Trust May Have Prevented SolarWinds

A core tenant of zero trust is adopting a state of assumed breach. Meaning all requests are inherently untrusted and must be verified.

There are no silver bullets when it comes to security and while companies couldn’t do anything to protect themselves from the attack’s first phase, as that compromise was on the service side, they could have better protected their network through stronger user authentication and verification.

Before users are granted access to sensitive resources or applications, Zero-trust architecture mandates that users prove both their identity and that of the device they’re using. Requiring multiple verification factors, which are continuously reviewed, zero-trust ensures that foreign actors aren’t using falsified security tokens.

What’s more, such architecture limits access to sensitive resources even after network access is granted using techniques such as just-in-time and just-enough-access (JIT/JEA), securing an additional layer of protection. And by limiting this access to only those who need it, commonly called least-privilege, the pool of potential social engineering targets are greatly reduced. This security layer could have prevented the lateral movement hackers demonstrated after breaching the Orion platform.

In sworn testimony from US CISO Christopher DeRusha, the official told the Senate Homeland Security and Government Affairs Committee that the government should move towards zero trust and away from perimeter security.

“In this new model, real-time authentication tests users and looks to block suspicious activity and prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds attack,” DeRusha said. “Many of the tools we need to implement this model already exist within industry and agency environments, but successful implementation will require a shift in mindset and focus at all levels within federal agencies.”

What You Can Learn From SolarWind and Zero-Trust

Of SolarWind’s 36,000 customers, approximately 1800 installed the affected update. If you’re worried that your organization may be impacted and you haven’t taken steps to mitigate this attack be sure to update Orion to the latest version and follow SolarWinds guidance.

However, just because an organization doesn’t use Orion doesn’t mean they’re safe; you should contact your IT vendors or MSP to confirm that they’re not impacted. If so, ask them what they’re doing to reduce your exposure.

Organizations looking to secure themselves against a future attack should leverage a combination of improved network visibility, incident response, comprehensive vendor management and a zero-trust user access model.

You’ll also want to improve your organization’s security culture by teaching and enforcing best practices. That includes how to utilize tools like web filtering and two-factor authentication, how to create strong passwords, and how to properly configure firewalls.

Lastly, remember that your security efforts should be tailored towards the most likely and most potentially damaging threats. This means beginning with threat modeling to identify your most sensitive assets, and brainstorm the most likely paths hackers may take towards compromise. If all this sounds like too much, consider a trustworthy third-party security-focused managed IT provider like SecurIT360.

Conclusion

If nothing else, SolarWind is a reminder of how serious and far reaching attacks on third-parties can be to your organization. Given the wealth of consumer data now held by the average business, just about every company could be a target.

Categories
Computer & Network Security

Understanding the Cybersecurity Maturity Model Certification (CMMC) and its Benefits to You

In today’s evolving threat landscape, organizations are often required to remain compliant with government and industry-based regulations, standards, and policies pertaining to data security and privacy. Therefore, attaining an industry-wide certification for your corporate cybersecurity posture is critical to maintaining a good reputation as well as assuring the confidentiality, integrity, and availability of critical and sensitive information within your computing infrastructure.

It is estimated that cybercrime causes global damages of over $600 billion per annum, thus it is now more important than ever for organizations to protect their information supply chain infrastructure, especially supply chains that process controlled unclassified information (CUI). For organizations looking to conduct business with the U.S. Department of Defense (DOD), there are special cybersecurity regulations that must shape handling of DOD-developed digital assets, and the Cybersecurity Maturity Model Certification (CMMC) is a prime example.

The CMMC consists of five maturity levels, which is used as a guide to protect DOD critical data from a range of cyber-threats, including sophisticated threats posed by advanced persistent threats (APTs). The CMMC framework aligns your organization’s cybersecurity response with security control-measures deemed sufficient by the DoD to protect sensitive information against emerging cyber threats, thus allowing Defense Industrial Base (DIB) companies to provide reassurance to the U.S. government that all CUIs are being monitored and secured with at least the basic controls that are recognized by the CMMC maturity levels.

The Importance of CMMC

Being CMMC-compliant not only protects your reputation, but it also mitigates against the financial burden of a breach. The CMMC framework allows you to leverage new operations and applications with the confidence that they are secured by your existing cybersecurity measures.

In terms of the industry-specific benefits, CMMC compliance will reassure clients that you are adhering to the latest cybersecurity recommendations, which will help you win new contracts and gain a competitive advantage over your competitors. Software vendors will be able to reassure enterprise clients that their security framework meets DOD guidelines, and the same applies if you operate in industries with a complex supply chain.

Another benefit of being CMMC-complaint relates to managing risks across your supply chain. If you know of other organizations in your supply chain that are not yet CMMC-compliant or are not prioritizing cybersecurity, you can recommend that they get an audit. This allows for better protection across your whole supply chain, instead of just your organization.

The main goal is to document all processes and constantly improve them, so there is no “weakest link” left within the supply chain. Having a common understanding of how every element of your supply chain operates from a cybersecurity perspective is hugely reassuring, as you can use this knowledge to maintain DOD contracts, expand your client network, and benefit from the subsidized nature of CMMC audits.

Particulars of the CMMC Framework

The CMMC framework consists of 171 practices mapped across five different levels of maturity. The more practices your organization implements, the better you become at protecting all unclassified data within your infrastructure. For the majority of subcontractors of DOD, the first level of the CMMC framework is what you can expect to be recognized when you invest in an audit from a trusted vendor. This level contains all of the common cybersecurity practices.

As you begin to approach the higher levels of the CMMC model, the processes become more documented and proactive. The main aim is to actively manage, review, and optimize cybersecurity processes to protect all of your devices and data points from the growing sophistication of APTs and their growing attraction to supply chain attacks.

Differences Between Each Level of the CMMC Framework

As mentioned earlier, level 1 CMMC states that organizations follow basic cyber hygiene. This is essential to assuring confidence in your supply chains, or to assuring DOD, that you follow basic cybersecurity practices on (at least) an ad hoc basis. The processes are not documented or actively expanded upon by your IT department, but your employees do adopt the recommended processes as and where possible.

Level 2 CMMC measures involve documenting any cybersecurity processes, so that there is proof that people are trained to implement DOD’s best practices for protecting CUI across your organization’s network.

A level 3 compliant subcontractor would have gone one step further than those in level 1 or 2, as their cybersecurity practices adhere to the NIST 800-171 framework. This model contains various security measures that must be undertaken for you to achieve the best protection for all of the CUI you store and manage. For example, instead of simply implementing security measures from a selective standpoint, you will roll the measures out to any section of your infrastructure that may store/move CUI, to enhance your protection from APTs.

If your organization has maturity level 3 CMMC, all of your cybersecurity practices are documented, assessed, and rolled out to the whole organization, while being reviewed on an ad hoc basis.

Furthermore, a level 4 compliance posture differentiates good cyber hygiene from proactive cyber hygiene: the risk from APT actors is managed in real-time with a “constant improvement mindset.” This maturity level combines all of the processes contained in levels 1–3 while using a forward-thinking approach, surrounding the developing sophistication of APTs and the tactics, techniques, and procedures (TTPs) they implement.

Lastly, level 5 maturity will require your organization to implement all of the previous levels of the CMMC framework while leveraging the controls and procedures to ultimately lower the risk and burden caused by APTs on your CUI—essentially before the risk to your reputation or finances becomes anything more than minimal.

Required IT Controls for Each CMMC Level of Certification

Each level of the CMMC framework implies a different (and more managed) level of IT control. As a guide, here is what you may be expected to implement depending on your industry:

  • Level 1 maturity can include staff updating passwords, updating/patching critical applications, and installing antivirus or other free/low-cost cybersecurity tools.
  • Level 2 maturity ensures that procedures to protect CUI are documented and actively encouraged by your IT department. Best practices may be taught via security awareness training.
  • Level 3 IT controls may include multi-factor authentication (MFA), meaning the NIST 800-171 framework is adhered to. Your organization will identify and implement cybersecurity controls across all data points that may contain CUI.

An organization with level 4 compliance can be expected to implement forward-thinking measures, such as cybersecurity controls on emerging technology, mobiles, or IoT. These are areas of your infrastructure that may have previously been under-prioritized from a cybersecurity standpoint.

Lastly, to become a level 5 compliant entity, your IT department must implement 24-hour controls, to minimize the impact of any form of cyber-threats. For example, a security operations center (SOC) may be created, leveraging both human and automated mechanisms, to actively manage threats. With this type of dualistic data security and privacy countermeasure, security goals remain dynamically-aligned with the needs and objectives of your organization.

Conclusion

Being able to certify your cybersecurity posture is now more important than ever, and the newly implemented CMMC framework offers this opportunity for DOD subcontractors and other eligible organizations to do this. With 5 different levels of maturity, the CMMC model can help your organization to understand what is required of your IT department, and it can help your team proactively manage, detect, and improve against the TTPs of APTs.

Becoming CMMC certified at any level provides immense reassurance to your clients, contractors, and anyone you interact with, as it shows you are fully compliant as an organization with what the DOD recommends. Not only will CMMC certification serve as a route to gain a competitive advantage in your industry, but it can also help you to obtain knowledge about your entire supply chain.

You can use this framework to identify any existing weak links and recommend procedures to implement to further minimize the threats against your organization and anyone else you work with within your industry. If you would like to find out more about the CMMC framework, and how to become certified, contact SecurIT360 today to see how we can help you obtain the audit you need to gain a competitive advantage in your industry.

Categories
Computer & Network Security

How To Check A Sketchy Link Without Clicking It

Let’s say you’re working through your dozens of emails, responding to clients or customers or business partners and you come across this one email from your bank informing you that you need to reset your password. This email comes completely out of the blue and to top it off you don’t recognize the senders email address. Do you click it?

Maybe…maybe not.

Did you know that you can investigate if that link is sketchy or not without clicking on it?

When it comes to hyperlinks, sometime’s it’s really obvious it’s sketchy, but other times, in the case of look-a-like domains, it can actually be a bit tricky.

Here are a few things that make a link sketchy, when visibly looking at it.

  • Links that end in uncommon top level domains (TLD). Because the cost to purchase domains within these TLDs are pretty inexpensive, they are very frequently used for spamming and malicious activity. Aside from abc.xyz which is a web site owned by Google’s parent Alphabet I don’t know of any legit domains with these TLDs.

    • Commonly used for spamming/nefarious activity:
      • .xyz
      • .buzz
      • .live
      • .fit
      • .tk
  • Links that are knock-offs (known as look-a-like domains) of major brands. These are popular because the domain closely resembles that of real brands domains. Depending on how the URL looks in your browser and if you’re on a mobile device or on your computer, you may or may not be able to spot these very easily.

    • Examples:
      • netflix-mail[.]com
      • t-mogbile[.]com
      • googlre[.]com
      • secure-paypal.com.fraud.hmmmm[.]com

      Note, these domains may or may not be valid at the time of you reading this

  • Links that contain random numbers and/or letters. These are pretty obvious. Not all are malicious, however, anytime I see a url like this I immediatly get suspicious. It’s not a trustworthy link in my opinion and should be investigated further.

    • Examples:
      • eqbqcguiwcymao[.]info

There is definitely no shortage of URL and website scanners out there. I’ve tried dozens of them. None of them seem as good to me as URLscan. It’s fast, extremely detailed, provides a live screenshot and it allows you to link out to other scans to check them as well.

URLScan – https://urlscan.io

My go-to move with any sketchy links is to pop them into URLScan and see what comes up. To do that, just head on over to https://urlscan.io. Then just simply copy and paste the link you want to scan into the scan field. Once there you can also click Options and make your scan Private, which sometimes is nice to do, since Public scans will show up on the front page and in searches.

Now that you have your link pasted in, click Scan! Once URLScan is finished checking your link, doing it’s analysis and fingerprinting, it will bring you to a results page that looks something like this.

Note, this is an example results page of a known malicious site.

1. Live Screenshot. This allows you to visibly see if there might be anything weird going on with the site. This is good for sniffing out things like misspelled words on login pages.

2. Google Safe Browsing rating. This is a nice quick view of if the website is safe or potentially nefarious.

3. Lookup the URL with other scanners. The lookup tab allows you to pick any of a number of other website scanners. This can help you glean additional information about the site you’re scanning in case you’re still not sure about it.

Caution when Clicking

It’s a bit cliche by now but, think before you click! It only takes a few minutes to pause, copy and paste the link into URLScan and check it out first before clicking.

If you’re at work and have an IT Department or Security Team, send it over to them and ask them to investigate it for you. It’s better to wait 10 minutes to get a link checked out than spend 10 weeks recovering from a security incident.

Additional Information

I did some googling on this topic and found some good articles related to suspcious and or malicious domains. The articles below go into much more detail on TLDs and their use for malicious or spammy activity. If you’re into the technical nitty gritty these would be great reads.

Categories
Computer & Network Security

Endpoint Detection and Response: Monitor and Mitigate Your Cyber Threat Environment

There’s one lasting cybersecurity misconception that’s misled many: that perimeter security is sufficient in itself. 

While preventing attacks using tools like anti-malware, access management, anti-phishing training, and SIEM are effective, they’re ultimately insufficient on their own. Endpoint protection and monitoring (EDR), paired with managed detection and response (MDR), provides the missing element here, pairing prevention (EDR) with response (MDR) to curtail any attempted intrusion before serious damage is done.

To make matters worse, threats have risen 400 percent since before the coronavirus—with a 40 percent growth in ransomware specifically. What’s more, the explosive growth of workers performing their jobs at home has greatly expanded attack surfaces. Here, we’ll delve into endpoint protection and response, its place in modern cybersecurity, and the benefits it supplies.

Why EDR is Relevant to Today’s Threat Landscape

Much of the internet and IT technology was not designed with security in mind. As such, security approaches are enormously varied, often unsophisticated, and rely on mistaken assumptions about today’s threat landscape.

Case-in-point is the industry’s overwhelming reliance on perimeter security or network security, often referred to as the castle-and-moat approach. The thinking is simple, use a few different technologies like firewalls, anti-malware applications, and other security tools to prevent each potential attack vector.

There’s no such thing as perfect defense against an unknowable threat landscape. Each year, organizations face a roughly a 50/50 chance of experiencing a cybersecurity incident. Between malware, ransomware, advanced attacks, insider attacks, and social engineering attacks, such incidents occur so often they’re almost predictable.

Social engineering attacks are a good example. Approximately 91% of data breaches start with a phishing email, according to a Deloitte study. One might assume that effective education and training could prevent most social engineering attack attempts. However, such attacks are incredibly sophisticated, often taking the form of a court notice, IRS refund, fax notices, and are successful through repetition. Falling prey may be a statistical likelihood.

In test attacks from cybersecurity firm Positive Technologies, a whopping 17 percent of employees fell for the fake scam (Done with permissions from leadership). Among those: 25 percent of managers, and 3 percent of security personnel.

While EDR itself can’t prevent an employee from an ill-advised disclosure of data to a phishing email, their later activity in the system—in elevating their privileges and moving across their system—would be visible to effective EDR.

What’s more, EDR serves another important function: reducing the crucial time period between network penetration and the discovery of compromise. Currently, companies take an average of 197 days before discovering an intrusion, according to a Ponemon study. Reducing discovery time can significantly decrease the cost of containment.

Given the extremely high volume of these attacks and the predictability with which they occur, then it follows that cybersecurity must not only prevent attacks but also focus on responding swiftly by containing or removing any such vulnerabilities.

How Endpoint Detection & Response Works

EDR complements typical network security by adding visibility in activity occurring on endpoints, analyzing the resulting data for signs of malicious activity or compromise, and issuing automated responses that contain or remove threats, and alert administrators.

Note that the added responsibility and technical sophistication necessary for effective EDR may be too much for many IT departments. That’s why managed detection and response, a service provided by many cybersecurity managed service providers, may be necessary to cover these responsibilities, 24/7 monitoring, and any necessary maintenance. Together, EDR and MDR combine to form a comprehensive incident response program.

Personal Devices in the Workplace Are On The Rise

The explosion in personal devices in the workplace forms one of the most pressing security concerns today. Approximately 90 percent of US employees use their smartphones at work, while 50 percent of companies with permissive personal devices usage policies had such devices breached, according to Trend Micro.

Given their enormous cost savings benefit and their preferred status amongst workers, this is unlikely to change. Still, this growth means business networks are hosting a high volume of endpoints that aren’t likely to be secure.

Popular operating systems, whether we’re talking about Windows, MacOs, IOS, Android, or others, rest on a foundation of insecure code and contain a wealth of vulnerabilities to boot. Also, the software they run may not be secure, and they’re easily able to download malicious resources from the web.

If such devices can be manipulated and controlled by hackers, either directly or through malware, one can’t assume trustworthiness. Attackers depend upon this weakness and use it to escalate their privileges to gain access to the resources they’re after.

Endpoint protection’s deep visibility shows which user owns the endpoint, the location in which it’s currently being used, any applications running on it, and any content it’s creating.

EDR greatly minimizes that risk, ensuring that, if and when a cybersecurity event occurs, it can be quickly shut down, through deletion, containment, and rapid notification of relevant personnel.

This is crucial as it currently takes organizations an average of 197 days to identify a breach and another 69 to contain.

Continuous Monitoring and Forensic Analytics

As we mentioned up top, perhaps the most transformative aspect of endpoint services is the greater visibility they lend to endpoint activity.

For instance, EDR can validate that packets coming from an endpoint have been created by a legitimate application. It can also monitor the file integrity of key resources, which are automatically flagged in the case of improper access to secure files and theft of sensitive data.

What’s more, this monitoring is continuous, meaning EDR is always on the hunt for signs of compromise, recording, and storing all related data.

The latter is essential in providing usable forensic data that can help security professionals understand circumstances surrounding any attack, and thus how to prevent the next one. Such investigations could uncover patterns of behavior behind such threats to predict future ones.

Real-time monitoring leverages file integrity monitoring of key data, applications, and devices to find compromise. This includes activities like changes to a malware-related registry, improper access to secured files, and sensitive data theft. EDR is also capable of monitoring critical system events like startups and shutdowns, license changes, hard disk failures, and changes to the systems clock. And with automated policy enforcement, any such event can be rapidly contained.

Single Source for Endpoint Management

The unprecedented visibility that EDR extends is crucial; users will find that having a centralized location to monitor network endpoints is immensely valuable and educational.

From here, policies can be set and automatically enforced. Historical data across each endpoint can be investigated, which can uncover routes to penetration not previously considered; every endpoint, affected user, and step in the hacking process.

Since EDR systems are tasked with monitoring all devices within a network, they’re often much easier to integrate into network infrastructure. Many EDR solutions are compatible with a wide range of security tools, allowing endpoint data to be analyzed alongside other security network data.

This accessibility is further enhanced by the simplicity and ease of use of many modern endpoint solutions. Drag-and-drop interfaces and easy-to-read analytics make them layperson-friendly—crucial if they’re to be understood by stakeholders.

Perhaps the most compelling, and necessary, component of an EDR solution is its ability to be remotely managed by cyber security professionals.

EDR remote management options allow trained and certified experts to monitor network activity, flag and respond to anomalous activity, and stop cyber attacks that would otherwise compromise your organization. Having experienced and trained security professionals on your side is a superior alternative to installing a piece of software and hoping the built-in software is sufficiently up-to-date and nuanced enough to effectively identify and respond to threats.

Where to Go From Here

The combination of endpoint monitoring with traditional network security gives organizations an unprecedented and holistic view of their organization’s threat surface—and the once-invisible activity occurring on it.

At SecurIT360, we are a team of skilled cyber security professionals that can partner with your organization to provide an EDR solution that is customized to protect your business, its data, and your bottom line. EDR can integrate with minimal lift from your team or changes to your existing security architecture.

Oh, and if you’re curious: the proper way to respond to a cybersecurity incident.

SecurIT360 is a managed services provider proficient in monitoring and incident response, assessments and penetration testing, compliance, and general cybersecurity consulting. Contact us to learn more.

 
Categories
Computer & Network Security

Artificial Intelligence Advancements In Healthcare: The Needed Next Level of Cyber Security

How is Artificial Intelligence being used in healthcare?

Artificial Intelligence, or AI, is having a dramatic effect on the healthcare sector. At its core, artificial intelligence seeks to mimic the unique processing capacity of the human brain. Using algorithms, pattern matching, deep learning, cognitive computing, and heuristics, AI is able to quickly sort through masses of raw data. This is incredibly helpful in the medical field. In addition to the millions of Electronic Health Records (EHRs) at the center of our healthcare system, medical practitioners must also incorporate data from studies, data from testing, and past patient records when diagnosing and treating a case. AI can use predictive models to find irregularities or similarities in raw data that doesn’t have to be pre-sorted. This helps doctors improve diagnosis accuracy, patient care, and outcomes. AI’s ability to find meaningful relationships in data is being used as a powerful tool to aid in drug development as well as patient monitoring and treatment plans. Artificial Intelligence is becoming more common in many parts of the healthcare system, and it is estimated that $36.8 billion will be invested in AI systems across the US by 2025. AI is poised to be the main force that drives improvement across the healthcare industry.

Why is this a big deal?

Artificial Intelligence will be the engine of change by organizing masses of data and giving relevance to data points, which will ultimately improve reliability and objectivity in diagnoses. AI will provide context for patient data more quickly than ever before, allowing doctors to identify and treat diseases accurately, minimizing misdiagnosis and lowering the mortality rate. In addition, the costs for drug development will be lower, as we will more accurately be able to predict the drugs’ effects in certain patients. This all leads to an increase in doctors’ facetime with patients. They become freed from analyzing mountains of data and more able to focus on care and healing.

What concerns with cybersecurity arise when using AI?

When we open up patient records to artificial intelligence, we are opening up our systems to outside attacks. With sensitive information at risk, healthcare providers must be very careful that their rate of system upgrade does not outpace their security improvements. Installing new systems that sort sensitive patient data must be tested from all endpoints to ensure there are no flaws or vulnerabilities to attack. AI dramatically increases the complexity of assessing security threats. These new systems could be a point of entry for malware that will be difficult for systems designed to monitor human behavior to detect. 

What upgrades in cybersecurity are necessary to protect against these concerns?

Greater use of AI in healthcare systems means that we need greater use of AI in cybersecurity software to match it. Our main protection will be anomaly detection. This will mean installing these detection programs across all endpoints in the system. Anomaly detection works in the same way that the AI identifies meaningful relationships in patient data. It monitors the system and senses potential threats whenever there is unusual behavior. Anomaly detection can do more than discover malware within a system. It can also identify where the cyber attacks are coming from and what kind of attacks being perpetrated. Predictive analytics for malware detection can also stop problems before they start. These analytics can identify suspicious files and prevent them from opening, stopping problems before they start. Properly planned and configured, these new cyber security measures act like the immune system for a healthcare company. 

What are the challenges in implementing new AI/Cyber Security Procedures in healthcare systems?

Establishing new and heightened security procedures require behavior monitoring, to make sure users are complying with new systems. While some users may think that increased security measures are intrusive at first, compliance is paramount. When cybersecurity systems are implemented without factoring in the human element and allowing time for training, it can often lead to users falling back on unauthorized apps and outdated but familiar systems. These non-sanctioned entrances into the system leave it vulnerable to a breach. There are human users in your system in addition to AI, and it can take time and planning to make sure your innovations don’t outpace your cyber security procedures. A coordinated strategy that considers both human and artificial intelligence creates a healthcare system that is more accurate, faster, and cheaper for patient treatment.

Want to know more about how you can ensure your company is secure? Contact us!

Categories
Computer & Network Security

An Argument for Increased Focus on Data Backups

The necessity for backups has always existed, but the reason for backing up has changed significantly in recent years. Today, backing up data is just as important for cyber security reasons as it ever has been for disaster recovery. But our architecture must be rethought with this new emphasis.

When did we start conducting data backups?

A long time ago–in a galaxy far, far away…–backups we’re theoretically designed to mitigate against the risk of a disaster: fire, flooding, equipment failure etc. In reality, they were used primarily to correct bad decisions (we updated the server and it crashed, now we must go back to the previous version). A long standing practice of any IT change process I have been a part of has been “Back it up before you do that.” With the prevalence of virtual machines and the ease of taking a “snapshot,” back ups became very easy to do. Software and converged infrastructure have also made this increasingly robust and convenient as well.

However, with convenience comes a price. Many of our backup systems are on shared storage. We back up to the same place logically that our files are stored. And this is the underlying fallacy in our new cyber security reality. Our backups used to go to tape and get stored off-site. A return to this complexity needs to occur.

Backup Best Practices

Backups need to be on a completely separate storage volume that is not accessible to anyone or any bot, except that backup software. The credentials need to have strict complexity and policy to prevent access. Traffic should only be initiated from the backup network to the backup target and no traffic allowed to be initiated from the client network. Additionally, this information needs to be taken offline with regularity, removing it from the network.

Data Backup Illustration
Data Backup Best Practices

Here’s a scenario: Organization X is performing backups and test restores according to their risk management profile. Some info is backed up daily, some hourly. Everyone is happy with the results. Suddenly, ransomware attacks the network and begins encrypting any data that is exposed, including backup files on a shared drive. This renders the backups useless for recovery from this attack.

Finally, this needs to be an executive level discussion. If you were the CEO of an organization, you would immediately be informed if the network was “down.” Being operational and ensuring your employees are productive is the most important piece of information you can receive from your IT team. The second most important piece of information should be “the backup process didn’t work last night.” The amount of risk this puts you in, potentially having to replace work from an entire day or longer, should be a risk you are aware of and constantly guarding against.

Categories
Computer & Network Security

Do you really need a smart toaster?


Even though you CAN buy it, you need to ask yourself if you really SHOULD you buy that Internet-connected appliance……..

Very few people would seriously consider this question before purchasing a brand new appliance or item that has all sorts of nifty and exciting ‘up-sell’ features, such as network or direct Internet-connectivity.

But for those of us who work in the computer and network security fields, this question is neither academic nor trivial.

It’s easy to understand why Internet-connected gadgets are tempting. Who wouldn’t want a dog collar with a GPS in it, in case Fido runs away? Who would turn down a tracking unit you could put in your child’s backpack in case they get lost or something more sinister happens? And who wouldn’t find some convenience in a video-capable home security system that was able to be monitored while you were at work?

The problem is that the security of these gadgets is questionable at best. Multinational, experienced software companies, such as Microsoft and Apple, have entire divisions devoted to securing their software and hardware, and yet potential and actual compromises are announced almost on a weekly basis. Most corporations have IT security teams who monitor and test systems on a regular basis but we read about corporate breaches almost daily.

In light of those observations, can we really trust the manufacturing company that creates a product that allows you to keep track of your child or pet via an Internet-based website? How do we know they’re performing due diligence to keep the location of your child safe? How can you be assured that a potential burglar isn’t watching for the next time you kennel your pets, giving them a good idea when you’re out of town? And who’s monitoring the log data to be sure that your home security system wasn’t shut down remotely for a brief period today and then reactivated? Or who’s making sure that your “private” video feed into your house isn’t quite so private after all?

Sometimes it pays to be a little paranoid and cautious. When purchasing a product with a network connection, do some due diligence. First, ask yourself if you really need it. Is it going to simplify your life or bring a reward that’s worth the risk? Second, do a little research. Find manufacturers with a proven track record or maybe those who have partnered with a security-conscious company. And above all, be careful. Be aware of what you have and practice common sense security precautions – change passwords, watch for anomalous behavior, and review and apply software updates.