The guide stems from the Cybersecurity Act of 2015.

The Department of Health and Human Services on Friday released a publication containing voluntary cybersecurity practices to healthcare organizations ranging in size from local clinics to large hospital systems.

Titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” the four-volume publication is the result of a two-year public-private partnership between HHS and healthcare industry professionals. According to a press statement from HHS, more than 150 cybersecurity and healthcare experts participated in the effort, which was mandated through the Cybersecurity Act of 2015.

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” Janet Vogel, HHS Acting Chief Information Security Officer said in a statement. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

The guidance is a mixture of highly technical solutions and common sense practices applicable to a wide range of healthcare facilities. The core of the document explores the five most relevant threats to the healthcare industry and recommends 10 cybersecurity practices to mitigate them. It also emphasizes the importance of moving quickly to address these threats.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine. “That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert.”


via:  nextgov


Save pagePDF pageEmail pagePrint page

Security Predictions by Security Industry Company – Top 19

Cyber security is the number one new megatrend shaping the industry, according to the Security Industry Association’s (SIA) yearly report defining the major trends and forces at play in the global security industry. By nearly 30 percentage points, industry leaders said cyber security’s impact on physical security solutions was the greatest they were expecting to face in 2019. 

Here is the cybersecurity industry’s annual predictions, online threat forecasts and cybersecurity trend reports. The roundup of top insights from the leading security companies and cyber experts for 2019 and into the 2020s.

1) Trend Micro once again delivers a top-notch, comprehensive security prediction report that is easy to access and based upon “our experts’ analysis of progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.”

Trend Micro’s report is titled Mapping the Future: Dealing With Pervasive and Persistent Threats and is available in Web and PDF formats. They do a creative job of categorizing their predictions into items for Consumers, Enterprises, Governments, Security Industry, Industrial Control Systems, Cloud Infrastructures and Smart Homes — with pragmatic action items for all.

Here are a few top-line prediction examples (with many more details available in the report linked above)

  • Actual Mass Real-World Use of Breached Credentials Will Be Seen
  • Sextortion Cases Will Rise
  • Home Networks in Work-From-Home Scenarios Will Open Enterprises to BYOD-like Security Risks
  • Innocent Victims Will Get Caught in the Crossfire As Countries Grow Their Cyber Presence
  • 99% of Exploit-Based Attacks Will Still Not Be Based on 0-Day Vulnerabilities
  • Cybercriminals Will Compete for Dominance in an Emerging IoT ‘Worm War’
  • My favorite from Trend Micro: Cybercriminals Will Use More Techniques to Blend In – “In response to security vendor technologies, specifically the renewed interest in machine learning for cybersecurity, cybercriminals will use more malicious tactics to “blend in.” New ways of using normal computing objects for purposes other than their intended use or design — a practice known as “living off the land” — will continue to be discovered, documented, and shared. We have been observing a few of these.”

2) FireEye once again offers an extensive, intriguing predictions report, which is excellent and definitely worth reading. But for the first time in a few years, they do not require registration to access their prediction details. However, once you read for a few minutes, a box will pop up requiring your contact details to continue, so if you don’t want to register — save the PDF quickly offline. And yes — the report is impressive and thought-provoking.

FireEye’s report is titled: Facing Forward: Cyber Security in 2019 and Beyond. (You can also watch a video overview discussion below from FireEye.) Their leadership took a different approach this year, offering words of wisdom on cybertrends from executives on a variety of topics. It starts with this strong endorsement of prediction reports from Kevin Mandia their CEO: “In the cyber security industry, we’re so frequently working around-the-clock for days at a time that we often forget when one year ends and another begins. It’s a shame, too, because the end of the year is a very important time. It provides a moment to reflect on what we observed and experienced over the past 12 months, and to consider how best to address the challenges we have been facing. Perhaps more critical to our line of work, it offers an opportunity to note what developed into a trend, and what might develop into a trend as we move into the next year and beyond.”

Here are some of the high-level topics covered by FireEye:

  • (More) Nations developing offensive capabilities
  • Breaches continuing due to lack of attribution and accountability
  • The widening skills gap, and fewer trained experts to fill security roles
  • Lack of resources, especially for small and medium-sized enterprises
  • Supply chain as a weakness
  • Attackers eyeing the cloud, since that’s where the data is headed
  • Social engineering, considered by many to be the most dangerous threat
  • Cyberespionage, cybercrime and other threats to the aviation industry


3) McAfee Labs 2019 Threats Prediction Report led with these words: “Greater collaboration among cybercriminals exploiting the underground market, which has allowed them to develop efficiencies in their products. Cybercriminals have been partnering in this way for years; in 2019 this market economy will only expand. The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before. …”

Ever heard of “synergistic threats?” You’ll need to read their report to understand where that trend is going. Here are their top 7 predictions — with details at the links on each item:

4) WatchGuard Technologies kept pace with the top-tier cybersecurity rivals in their 2019 prediction report that breaks some new ground. “This year the team at the WatchGuard Threat Lab imagined a string of attacks that could lead to a cybersecurity apocalypse. Our security predictions for 2019 span from likely to audacious, but in all cases there’s hope for preventing them with layered security defenses that meet them head-on!”

My favorite Watchguard Predictions:



5) Forcepoint stepped-up their game with an impressive cybersecurity prediction report this year with a 23-page quality presentation in multiple formats including PDF. They went out on a few limbs and countered the masses on areas ranging from AI to the cloud.

Their content is also fresh and not “warmed over from last year” like many other 2019 reports.

Forcepoint Predictions:

  • The winter of AI — There is no real AI in cybersecurity, nor any likelihood for it to develop in 2019.
  • Industrial IoT disruption at scale — Attackers will disrupt Industrial Internet of Things (IIoT) devices using vulnerabilities in cloud infrastructure and hardware
  • A counterfeit reflection — Hackers will game end-user face recognition software, and organizations will respond with behavior-based systems.
  • Courtroom face-off — 2019 will see a court case in which, after a data breach, an employee claims innocence and an employer claims deliberate action.
  • A collision course to cyber cold war — Isolationist trade policies will incentivize nation states and corporate entities to steal trade secrets and use cybertactics to disrupt government, critical infrastructure, and vital industries
  • Driven to the edge — Consumer concern about breaches will cause companies to embrace edge computing in order to enhance privacy. Designers will face significant headwinds with adoption due to low user trust.
  • Cybersecurity cultures that do not adapt will fail — Industrywide security trust ratings will emerge as organizations seek assurances that partners and supply chains are trusted partners.

6) Beyond Trust — Once again offers a solid list of security predictions that have hyperlinks to plenty of supporting details and reasons why (for those who like to dig deeper.) I like the opening by Morey Haber their CTO: “There are three jobs in this world where you can be completely wrong all the time and still not have to worry about being fired. One is a parent. Another is a weatherperson. And the last one is a technology trends forecaster.”

Their top predictions include:

  • Privileged attack vectors will continue to be the number one root cause of breaches for both consumer and business data.
  • Well-known Vulnerabilities Will Continue to Dominate Cyber Attack Reports — The pattern of successful attacks through the use of well-known and entirely preventable vulnerabilities shows little sign of abating. Organizations continue to focus their efforts injudiciously, ignoring the lower severity vulnerabilities with known exploits in favor of largely academic, high severity vulnerabilities.”
  • AI on the AttackSkynet is becoming self-aware!
  • Results Section: Millennials Ruin Everything — Evolving Definitions of Privacy
  • Centralized Information Brokers Emerge

7) Symantec — In a featured blog, Symantec leaders Steve Trilling and Dr. Hugh Thompson offer their list of Cyber Security Predictions: 2019 and Beyond. Their predictions were fairly mainstream. Here are a few:

  • Attackers Will Exploit Artificial Intelligence (AI) Systems and Use AI to Aid Assaults
  • Defenders Will Depend Increasingly on AI to Counter Attacks and Identify Vulnerabilities
  • Growing 5G Deployment and Adoption Will Begin to Expand the Attack Surface Area
  • IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous Forms of Attack
  • Attackers Will Increasingly Capture Data in Transit

8) Kaspersky’s 2019 Predictions were harder to find than last year, but they still offer some very good insights, such as these:

  • No more big APTs
  • Public retaliation
  • Emergence of newcomers — “The thing is that the entry barrier has never been so low, with hundreds of very effective tools, re-engineered leaked exploits and frameworks of all kinds publicly available for anyone to use. As an additional advantage, such tools make attribution nearly impossible and can be easily customized if necessary.

And these Kaspersky predictions specifically on industrial control systems:

  • The ever-increasing attack surface — The increasing amount of automation systems, the variety of automation tools, number of organizations and individuals with direct or remote access to automation systems, as well as the emergence of communication channels for monitoring and remote control between previously independent objects — all expand the opportunities for criminals to plan and execute their attacks.
  • The underestimation of general threat levels

9) Verizon — I give Verizon a lot of credit for going back every year and looking at how they did at predicting trends from the year before. Verizon offers this list of 7 trends driving enterprise IT transformation in 2019. Most of these are customer focused (and not security-focused) like: “Businesses will invest for performance.” And yet, almost every one of these has a security component that shows up regarding trust and delivery guarantees.

Consider these Verizon predictions:

  • Contextual privacy will be front and center
  • Automation will transform the workforce: Robotic process automation and machine learning (ML) will transform how business operates
  • We’ll go back to basics on security (again), but also focus on specifics: In 2019, organizations will redouble their efforts to strengthen their security posture. It’s about understanding their risk environment, and ensuring they are doing the basics right to protect their business; practicing IT hygiene to keep infrastructure current to protect against vulnerabilities continues to be critical.

10) AT&T — offers these 5 cybersecurity trends to expect in 2019. Starting the list is cybersecurity automation: “As it relates to staffing, we may see a rise in the automation of security and data privacy. …”

Also, after many predictions from 1993 came true, AT&T recently asked their staff to think more long-term about where the world is heading over the next decade or two. You may wonder, what do any of these have to do with security? Quite a bit, if they are going to come true.

Here are some of those AT&T future predictions:

  • Caretaking robots — Robots are already in our homes in the form of vacuum cleaners and cute mechanical dogs, but Andrew McAfee, MIT research scientist, envisions more sophisticated robots helping senior citizens with dementia or children with autism. “One of the great things is they don’t get impatient with human beings,” he said.
  • AI and your digital self — Artificial intelligence can allow us to leave an imprint of ourselves that can remain a hundred years from now. Alicia Abella, VP of operational automation and program management for AT&T, envisions creating an AI print of her deceased father, a pitcher, who could teach her son how to play baseball.
  • Shopping — The mundane task of grocery shopping could be eliminated if Abella has her way. She describes virtually picking her own tomatoes, but through an avatar in the store while she sits at home.
  • Cars — Autonomous driving may end up being a real game changer for the industry. “No one will own a car in 25 years,” said Rsesh Patel, senior executive vice president of retail and care at AT&T.

11) RSA Security (A division of Dell) — Back in October, RSA offered these trends for 2019 in the Middle East, which quite frankly read like more of the same as in 2018. However, this updated December list of 7 trends to watch out for seems more cutting edge — but no big surprises.

Here are a few new RSA security predictions:

  • More sophisticated artificial intelligence features of security tools in 2019.
  • Cryptomining will continue to be a threat as long as attackers can make quick cash from the infections. Be on the lookout and deploy endpoint and intrusion prevention tools designed to detect these exploits. (Note: This is different than others who think this trend is fading.)
  • Lack of backup verifications will continue to plague IT managers, making ransomware a continued threat in 2019.

12) Forbes — Most readers know that Forbes magazine online offers a wealth of different perspectives and experts on a variety of topics, but they also carefully select who speaks for them. This list of 60 cybersecurity predictions for 2019 by Gill Press is worth reading through, mainly because it covers the thoughts of some of excellent leaders in smaller companies that are breaking ground on new ideas and cybersolutions in areas like AI.

Here are few of my favorites on the Forbes list:

  • Terrorist-related groups will attack population centers with crimeware-as-a-service. …
  • Managing privacy will be the new normal, like securing data or paying taxes. Privacy will continue on a similar path as the evolution of cybersecurity. …
  • ”In 2019, healthcare organizations will be the number one target for attackers. …

13) Bitdefender cracks the top list for the first time, with this well-thought-out list from Liviu Arsene, who is a Global Cybersecurity Researcher.

Some of their top predictions:

  • macOS attacks on the rise — Apple’s share of the desktop market is rising, and malware designed to infect Macs is growing along with it.
  • Combating invisible threats — Network-level exploits will enter the limelight next year, and they will likely be hyped by social media, if history is any indication.
  • A shift toward mobile attacks — Fintech services are paving the way to a very profitable new trend for hackers, particularly in the mobile space. The more money they manage on behalf of their users, or the tighter the integration with traditional banking systems, the more attention they will get from cybercrooks who will likely develop new threats targeting these specific services in 2019.

14) Sophos Labs offers an excellent 2019 Threat Report that highlights cybertrends for the coming year, some pontification about 2018 as well as conclusions like “ransomware is not going away.” Here are a few of the Sophos cyberthreat trend topics covered as we head into 2019:

  • Targeted attacks gain popularity, reap deep rewards
  • What’s old is new again
  • Transitioning to manual attack mode
  • SamSam ransom payments — Total: $6.5 million USD
  • Attacker techniques evolve to use what’s already there
  • “Living off the land” is the new law of the land
  • How “LoL” changes malware detection and prevention
  • The growth explosion of Office exploits
  • Mobile and IoT: Malware is not slowing down
  • The growing and persistent threat of mobile malware
  • Android: The good, the bad, and the ugly
  • Unusual malicious campaigns affecting the Android platform
  • Attacks against the internet of things

15) IBM’s predictions could not be more different than Forcepoint. In a sentence, Big Blue is going “all-in” on AI and throwing a bit of quantum computing in the mix for 2019 to help solve our growing problems.

  • Causality will increasingly replace correlations
  • Trusted AI will take center stage
  • Quantum could give AI an assist

IBM’s X-Force Labs also put out their own predictions this week which can be found here.


16) Forrester — The resources of Forrester, Gartner and a few similar companies are extensive in the prediction space, but finding their content can be difficult, given their business models to ask you to pay for details behind their materials. Most of their reports are not free.

Still, there are many ways to get Forrester prediction overviews (with details often hidden unless you pay) in both technology and security.

For technology, here are 14 quick tech predictions for 2019 — leading with “Customer experience (CX) remains under fire.”

For security, this blog lays out Forrester’s 2019 themes, such as “Economic espionage will reawaken because of the US-China trade war.” And, “women CISOs will increase as companies look for different perspectives.”

17) Gartner offers these 2019 “Top Strategic Predictions for 2019 and Beyond.” Here are some interesting samples — that go into the 2020s:

  • Affidavits fail cyberbullying — By 2023, 25% of organizations will require employees to sign affidavits to avoid cyberbullying, but 70% of these initiatives will fail.
  • Personal data poisons blockchain — By 2022, 75% of public blockchains will suffer “privacy poisoning” — inserted personal data that renders the blockchain noncompliant with privacy laws.
  • Consumers ignore security breaches — Through 2021, social media scandals and security breaches will have effectively zero lasting consumer impact.

18) Nuvias Group — Ian Kilpatrick, EVP Cyber Security, Nuvias Group, offers a simple, straightforward list that seems pragmatic, with few surprises.


Top 3 Predictions:

  • Increase in crime, espionage and sabotage by rogue nation-states
  • GDPR — the pain still to come
  • Cloud insecurity — it’s your head on the block

19) Barracuda MSP — offers this list of 2019 predictions via ChannelFutures.com — Here are a few:

  • Email security will continue to dominate the threat landscape.
  • Cybersecurity education will be key to mitigating threats and vulnerabilities.
  • Differentiation will happen through vertical focus. (for channel partners)

Bonus cyber prediction to round off to an even 20 — heading into 2020:

Zscaler offers this excellent list of predictions that starts with these three items:

  • We’ll see an increase in attacks targeting specific cloud applications.
  • Governments will look to the private sector for help with securing cloud apps.
  • More state-employed white hat hackers will “moonlight” with organized criminal elements.

Honorable Mention Predictions — These are not in my top 19, but offer good predictions. If you don’t see your organization’s predictions on the list, let me know, and I will consider adding after review. (Note: The prediction must be available online to reference details via a link):


  • Channelnomics.com — Offers these vendor predictions. I like this excerpt: “Ninety-nine percent of partners questioned for a December 2018 survey by network security firm Untangle said that cyber security as an overall part of their business will increase or stay the same in 2019, while 80 percent believe that their cyber security revenue will increase in 2019. …”
  • SC magazine offers these six cybersecurity predictions, leading with: “Zero Trust Goes from Buzzword to Reality.”  
  • Information-management.com offers these 10 cybersecurity predictions for 2019 — leading with “Increase in crime, espionage and sabotage by rogue nation-states.”
  • DZone offers an extensive list of 2019 security predictions starting here,however, they ask if overall predictions are very different from last year? They believe that “we are making progress against cyber attacks.”  Still, their detailed list is worth reviewing as they are a rare predictor with optimism.

  • BioMetricUpdate.com
    offers these unique and fascinating cybersecurity predictions from the ‘first major biometric hack’ to ‘IoT devices start to scam users’ – meaning that our fridge and washing machines may start buying (authorizing payments) for unwanted items.   
  • Thycotic – Joseph Carson, Chief Security Scientist at Thycotic, is very smart, with global experience and has amazing cyberstories. His 5 cyber predictions are worth reading and begin with a unique prediction “million-dollar data breach fines.”
  • CDO Trends offers these 5 Ways 2019 Can Be Very Different For Cybersecurity. They lead with this from CyberArk: “Emerging ‘unique human identities’ under attack” – meaning “attackers will increasingly target these identities to gather massive amounts of biometric data for future modeling purposes and nefarious use. …”
  • Splunk has come out with their predictions for 2019, which are highlighted here. Their ebook, which requires registration, covers AI and machine learning, security, IT operations, and IoT. Splunk predicts that security teams will benefit from big data platforms, machine-learning-based analytics, and orchestration and automation technologies.
  • NTT Security issued their predictions for 2019, and they were one of the few companies saying that a significant cyberattack against critical infrastructure (albeit in a developing nation) will lead to a major health or safety impact on the nation’s citizens.
  • Robert Ackerman Jr., who is the founder and managing director of AllegisCyber offers his perspective on a worse hacking landscape in 2019. One specific (and new) item on his list – more cyber attacks on satellites. Robert also says ransomware will expand – while others say the opposite.
  • Healthcare Analytics News (HCANews.com) offers these thoughts on what’s next for cybersecurity. Some of these forecasts are opposites of others on this list (such as the death of passwords being overblown). At the same time, this is unique: “We will get one step closer to living in “The Matrix.” They also are starting to see cybersecurity as a competitive advantage in 2019. (I agree)
  • KnowTechie.com offers these cyber security predictions for 2019 from Evan Morris, with many familiar items on his New Year’s Eve list. Here’s a new item near the end: “New jobs appearing, such as chief cybercrime officer (CCO).”
  • Zack Whittaker, a senior editor at TechCrunch, offered an entertaining list of activities to expect in cybersecurity in 2019 – a few hours before the ball dropped in NYC. I give him credit for including: “Brexit hampering U.K. start-up growth” and “draconian Australian encryption laws will hurt” which are not on other lists. His opening rant on how “predictions are not news,” and “predictions emails piss me off” reminds me of Ira Winkler’s similar sentiments offered a few years back in this Computerworld opinion: “Hocus-pocus! The stupidity of cybersecurity predictions.”  My detailed (contrarian) response to Ira (and now Zach) on why this is happening and how to benefit can be found here. While I can relate to Zach’s experiences related to companies having prediction agendas, this is just a warm-up for 2020. He would get the ‘Ticked Off Award’ – if I had one.  
  • ChannelE2E.com brings us Tim Brown, SolarWinds MSP VP of Security, who offers 4 Cybersecurity Predictions for 2019 that focus on how data breach reporting may expand and on how “MSPs and MSSPs will partner.” This piece offers a unique and helpful perspective for security service providers. 



What’s Missing From These Predictions?

Very little mentioned about cyberattacks trying to take advantage of or disrupt global events, from sports events like March Madness betting to the Rugby World Cup scheduled in Japan in 2019 to G8 and other potential gatherings.

It hard to say how financial markets could be impacted in 2019, but the recent big drop in stocks in the USA is certain to cause change and probably some hacker pain somewhere. With Fed testimony on 12/19/18, the market swung over 500 points on the words spoken by the Fed Chairman. Could false online rumors in 2019 cause a major stock market move? Or, could hackers somehow manipulate stocks?

After everyone seemed to have a prediction on bitcoin in 2018, the huge drop in price has quieted talk about cryptocurrencies, but expect more hacking and other shenanigans with digital currencies.

Also, hacktivism is rarely mentioned for 2019, but a comeback of the small guys making headlines is sure to erupt at some point regarding global hacktivist activity. Indeed, I think a lot of that happened in 2018, but was below the radar. Could the “yellow vests” in France or others around the world do more online disruption? I think so. See this piece for more on this trend.

Finally, cyberinsurance will evolve in some of the ways outlined in this UK article.

Closing Thoughts

Here’s one cyberprediction from yours truly (Dan Lohrmann) for 2019 — more organizations and media outlets than ever will be making cyberpredictions for 2020 next October through December about the decade in cyber to come. Expect many more trends and forecast lists with titles similar to “top 20 security predictions for the 2020s.”

And as we head into 2019, I want to thank you for continuing to fight the cyberfight — despite the challenges and moving threat landscape that makes data protection so difficult.

Peter Drucker once said that “trying to predict the future is like trying to drive down a country road at night with no lights while looking out the back window.”

But Alexander Graham Bell once said: “The day will come when the man at the telephone will be able to see the distant person to whom he is speaking.”

How did he know that?



via:  govtech,


Save pagePDF pageEmail pagePrint page

SANS Holiday Hack Challenge Open Now through January 14, 2019



Holiday Hack ChallengeThe FREE annual SANS Holiday Hack Challenge is underway right now! This year, Santa is hosting KringleCon, a virtual conference at the North Pole, where you walk through Santa’s virtual castle and watch 22 top-notch recorded 12-18 minute talks with directly applicable technical skills. And, within your browser, you can also walk around Santa’s castle solving cyber defense, DFIR, and pen test challenges as an entertaining and surprising holiday plot unfolds. You’ll get to match wits with a holiday super villain while listening to a custom album of holiday tunes. It’s fun for all ages, and it is SANS gift to the cyber security community. Over 15,000 people have played so far! Get it all for free at https://holidayhackchallenge.com.




Save pagePDF pageEmail pagePrint page

House panel: Equifax breach was ‘entirely preventable’

The devastating 2017 breach of credit-reporting company Equifax, which exposed data on 148 million people, was “entirely preventable” had the company applied proactive security measures, a congressional investigation has concluded.

“Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented,” says the report issued Monday by Republicans on the House Oversight and Government Reform Committee.

The committee’s 96-page report lays out why the hack, which compromised people’s names, social security numbers, addresses, credit card numbers, and other identifiers, has become a case study in failed IT leadership and software patching.

A “lack of accountability and no clear lines of authority in Equifax’s IT management structure” meant key security protocols were neglected, the House panel found: Equifax allowed over 300 security certificates to expire, including 79 for monitoring “business-critical” domains.

Furthermore, the company did not spot data being exfiltrated from its systems because a device used to monitor traffic had an expired security certificate, leaving the devices inactive for 19 months, the report said.

The committee also found that former Equifax CEO Richard Smith’s “aggressive growth strategy,” which included numerous acquisitions, bred security risks at the company. As the credit-monitoring giant’s market share surged, it didn’t grasp how the 18 companies it had acquired changed its security posture, according to the committee.

In a statement, Equifax spokesman Jacob Hawkins said the company had found “significant inaccuracies” in its preliminary review of the committee’s report, and that the company disagreed with “many of the factual findings.”

For example, Hawkins said, the report refers to a settlement with state attorneys general that hasn’t happened and inaccurately describes the company’s online portal for consumer disputes as dating to the 1970s, when it was really built more recently.

“We are deeply disappointed that the committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information,” Hawkins said, adding that Equifax had “worked in good faith for nearly 15 months with the committee.”

Congressional investigators found that Equifax was vastly unprepared for supporting victims of the breach. A website and call centers for victims were flooded, depriving consumers of timely information on how the hack affected them, the committee said.

The long-running fallout from the breach has seen senior executives lose their jobs and U.S. lawmakers excoriate the company for faulty security. Although the company avoided paying a fine with U.S. state regulators in June, a U.K. regulator fined Equifax $664,000 in September for failing to protect information related to 15 million U.K. residents.

With its focus on IT mismanagement, the post-mortem on the Equifax hack is reminiscent of the aftermath of another big compromise of personal information: the 2015 Office of Personnel Management breach. That breach saw alleged Chinese hackers steal sensitive information on some 22 million current and former federal workers.

Although U.S. officials have long suspected and, in some cases, accused, Chinese hackers of breaching OPM, less is publicly known about who orchestrated the Equifax hack. (Two years before it was hacked, Chinese spies targeted Equifax’s confidential business information, the Wall Street Journal reported.) The House Oversight report says that Equifax identified “suspicious traffic” from at least one Chinese IP address while responding to the breach, but these are merely clues in the attack rather than conclusive attribution.

In February, Equifax hired Jamil Farshchi, who helped Home Depot respond to its data breach, as chief information security officer. In a July interview with CyberScoop, Farshchi outlined a three-part plan to change the security culture at Equifax. Farshchi said then that the company didn’t know who carried out the hack.

The House Oversight committee’s 14-month investigation produced several security recommendations for organizations to avoid being the next breach victim, or at least mitigate the damage, including: moving away from the Social Security numbers as an identifier, ditching legacy IT systems, and being more transparent about cybersecurity risk with regulators.

Prior to getting hacked in 2017, Equifax didn’t disclose any cybersecurity incidents or risks it was carrying in its filings with the Securities and Exchange Commission, the committee said. Hawkins, the Equifax spokesman, said that was incorrect, that the company had indeed addressed cybersecurity risk in its SEC disclosures.

House Democrats on Monday released their own report on the Equifax breach, complaining that their suggestions were not included in the report from the House Oversight committee Republicans. The Democrats’ report advocates for a federal law to ensure more timely public notifications of data breaches.

via:  cyberscoop


Save pagePDF pageEmail pagePrint page

Marriott Hit by Massive Data Breach: 500 Million Starwood Customers Impacted

Marriott International said early Friday that data on roughly 500 million customers staying at Starwood hotel properties had been compromised in a breach that gave unknown attackers access to the Starwood network since 2014.

The company said it has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.

The hotel giant said that on September 8, 2018, it received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. The company said it “quickly engaged leading security experts” to conduct an investigation, which found that there had been unauthorized access to the Starwood network since 2014.

“Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that it was from the Starwood guest reservation database,” the company said in a breach disclosure.

According to the company, customers who made a reservation on or before September 10, 2018 at a Starwood property likely had their information compromised, which the company broke down as follows:

For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information. Marriott reported this incident to law enforcement and continues to support their investigation.

Marriott completed its acquisition of Starwood Hotels & Resorts Worldwide to create the worlds’ largest hotel company.

Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Starwood branded timeshare properties were also impacted by the incident.

Marriott said it was working to phase out Starwood systems and accelerate ongoing security enhancements to its network.

Shares of Marriott International are trading down roughly 6% in pre-market trading at the time of publishing. 

 

Via:  securityweek


Save pagePDF pageEmail pagePrint page

Congress Approves Creation of New Cybersecurity Agency at DHS

U.S. DEPARTMENT OF HOMELAND SECURITY

Office of Public Affairs


FOR IMMEDIATE RELEASE

November 16, 2018

Cybersecurity and Infrastructure Security Agency

On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This landmark legislation elevates the mission of the former National Protection and Programs Directorate (NPPD) within DHS and establishes the Cybersecurity and Infrastructure Security Agency (CISA).

  • CISA leads the national effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow.
  • The name CISA brings recognition to the work being done, improving its ability to engage with partners and stakeholders, and recruit top cybersecurity talent.

What Does CISA Do?

CISA is responsible for protecting the Nation’s critical infrastructure from physical and cyber threats. This mission requires effective coordination and collaboration among a broad spectrum of government and private sector organizations.

Proactive Cyber Protection:

  • CISA’s National Cybersecurity and Communications Integration Center (NCCIC) provides 24×7 cyber situational awareness, analysis, incident response and cyber defense capabilities to the Federal government; state, local, tribal and territorial governments; the private sector and international partners.
  • CISA provides cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies.

Infrastructure Resilience:

  • CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors, and delivers training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.
  • CISA provides consolidated all-hazards risk analysis for U.S. critical infrastructure through the National Risk Management Center.

Emergency Communications:

  • CISA enhances public safety interoperable communications at all levels of government, providing training, coordination, tools and guidance to help partners across the country develop their emergency communications capabilities.
  • Working with stakeholders across the country, CISA conducts extensive, nationwide outreach to support and promote the ability of emergency response providers and relevant government officials to continue to communicate in the event of natural disasters, acts of terrorism, and other man-made disasters.

Organizational Changes Related to the CISA Act

The CISA Act establishes three divisions in the new agency: Cybersecurity, Infrastructure Security and Emergency Communications.

  • The Act transfers the Office of Biometrics Identity Management (OBIM) to DHS’s Management Directorate. Placement within the DHS Headquarters supports expanded collaboration and ensures OBIM’s capabilities are available across the DHS enterprise and the interagency.
  • The bill provides the Secretary of Homeland Security the flexibility to determine an alignment of the Federal Protective Service (FPS) that best supports its critical role of protecting federal employees and securing federal facilities across the nation and territories.

Save pagePDF pageEmail pagePrint page

How automated incident response can help security

Automated incident response can benefit security both in the cloud and in traditional settings. Read what it can be used for and how it helps.

Despite the increase in breaches and security incidents we hear about regularly, many incident response teams are understaffed or struggling to find the right skill sets to get the work done.

Today, more enterprise incident response teams actively look for opportunities to automate processes that often take up too much time for highly skilled analysts, as well as those that require lots of repetition and provide little value in investigations. Common activities that many teams consider automating include the following:

  • Identifying and correlating alerts: Many analysts spend inordinate amounts of time wading through repetitive alerts and alarms from many log and event sources, and then spend time piecing together correlation strategies for similar events. While this is valuable for the later stages of investigations, it can also be highly repetitive, and can be automated to some degree.
  • Identifying and suppressing false positives: This can be tedious work on a good day and overwhelming on a bad one. Identifying false positives can often be streamlined or automated using modern event management and incident response automation tools.
  • Initial investigation and threat hunting: Analysts need to quickly find evidence of a compromised system or unusual activity, and they often need to do so at scale.
  • Opening and updating incident tickets/cases: Due to improved integration with ticketing systems, event management and monitoring tools used by response teams can often generate tickets to the right team members and update these as evidence comes in.
  • Producing reports and metrics: Once evidence has been collected and cases are underway or resolved, generating reports and metrics can take a lot of analysts’ time.

James Carder and Jessica Hebenstreit of Mayo Clinic provided several tactical examples of automated incident response in a past RSA Conference presentation:

  • automated domain name system (DNS) lookups of domain names never seen before and driven by proxy and DNS logs;
  • automated searches for detected indicators of compromise;
  • automated forensic imaging of disk and memory from a suspect system driven by alerts triggered in network and host-based antimalware platforms and tools; and
  • network access controls automatically blocking outbound command-and-control channels from a suspected system.

There are many more areas where automated incident response can help, especially in forensic evidence gathering, threat hunting, and even automated quarantine or remediation activities on suspect systems.

Endpoint security vendors have begun to emphasize response automation activities and integration with detection, response and forensics capabilities. Analysts need to quickly identify indicators of compromise and perform lookup actions across other systems, as automating as much of this as possible is a common goal today.

There are a fair number of vendors and tools that can help integrate automation activities and unify disparate tools and platforms used for detection and response. These include Swimlane, FireEye Security Orchestrator, CyberSponse, Phantom, IBM Resilient Incident Response Platform, Hexadite and more, most of which use APIs with other platforms and tools to enable them to share data and create streamlined response workflows.

Things to consider when evaluating these types of products include maturity of the vendor, integration partners, alignment with SIEM and event management, and the ease of use and implementation.

Automated incident response in the cloud

Incident response in the cloud may rely on scripting, automation and continuous monitoring more heavily than in-house incident response does. Currently, many of the detection and response tools emerging for the cloud are heavily geared toward automation capabilities, which tend to be written to work with a specific provider’s APIs, many of which are focused on Amazon Web Services (AWS) at the moment.

Teri Radichel wrote a paper on AWS automated incident response and released a simple toolkit to help with it, as well.

The ThreatResponse toolkit developed by Andrew Krug, Alex McCormack, Joel Ferrier and Jeff Parr can also be used to automate incident response collection, forensics and reporting for cloud environments.

To truly implement automated incident response in the cloud, incident response teams will need to build automated triggers for event types that run all the time — such as AWS CloudWatch filters — especially as the environment gets more dynamic.

Deciding what triggers to implement and what actions to take is the most time-consuming aspect of building a semi-automated or automated response framework in the cloud. Do you focus on user actions? Specific events generated by instances or storage objects? Failure events? Spending time learning about cloud environment behaviors and working to better understand normal patterns of use may be invaluable here.

None of these tools and methods will replace skilled, knowledgeable security analysts who understand the environment and how to properly react during an incident scenario. However, unless we start detecting and responding more quickly, there’s no way we’ll ever get ahead of the attackers we face now and in the future.

 

via: techtarget


Save pagePDF pageEmail pagePrint page

NERC CIP Audits: Top 8 Dos and Dont’s

I have been involved with quite a few projects over my career. I was involved with CIP compliance audits, investigations, auditor training, and many advisory sessions. Typically, I was advising entities across North America on different tactics, techniques, and insight from best practices I have seen. I wanted to share a few of the dos and don’ts during my experience out in the field.

8) Do Practice a Mock Audit

You will be audited. I cannot believe how many times I would walk into an entity and find out they had never performed a mock audit with their staff. They didn’t know the types of questions they would be asked, the evidence to produce, or the responses they should prepare for. Everyone was yelling at each other. IT was a mess. Don’t let these be your entity, and make sure you practice several mock audits to understand where you may have some weaknesses. If you do nothing else listed here, this is highly recommended.

7) Don’t Lawyer up Every Conversation

While having lawyers is very important for any dispute, settlement, or compliance program process, they aren’t always the best to be the front line on answering questions. For example, you don’t want your corporate attorney to answer technical questions on how your ESP are designed and configured.

6) Do Show Your Work

A lot of times, I would see an entity provide evidence of results. Sometimes you will hear auditors ask to see how you got to your results. A great example here is a Cyber Vulnerability Assessment or CVA.

One time, I remember hearing an entity perform their CVA and get a pile of results/action items to fix. They then showed a piece of paper that said “Results” and had a completed check mark. When the auditors asked how they completed some of these tasks or if they could see the steps they went through to get this result, the entity had no answers. They couldn’t even confirm that all of the CVA findings were fixed because they didn’t have documentation for themselves.

5) Don’t Redact all Your Documentation and Evidence

The goal of the auditor is to help your entity demonstrate compliance to the NERC CIP standards, not to find areas of non-compliance.

I have been on audits where the entity would not even allow the auditors to view evidence by themselves – it had to be on an entity-owned machine with limited access and documents that were mostly blacked out information. All this did was extend the audit another week and create a starting point for more questions.

Please help the auditors by making evidence accessible and useful.

4) Do be Polite and Patient

When an auditor asks for information, they are usually just trying to get an understanding of your environment. This isn’t a court hearing. The audit team is just trying to gain an understanding of the entire picture because they don’t know your environment as well as you do.

They may also not be familiar with certain acronyms, diagrams and other procedures at your organization. Take your time and explain to them since they will help tell your story of compliance.

3) Don’t Scramble for Documentation

A perfect example here was always exemplified during CIP-004 R2 and R1 training and awareness program records. The CIP training standards dictate that authorized staff with unescorted physical or electronic access to BES Cyber Assets, otherwise known as BCAs, must go through a NERC CIP compliance training program. The NERC CIP security awareness program requirements under R1 just simply say you need to prove that you made a program aware to the staff and personnel in scope. Seems easy, but it’s not unless you work together with your departments.

Any of your staff, contractors, vendors, and even cleaning crew might fall into the scope of this requirement. Make sure you have reports and records of your security awareness training program content available during the audit scope so that you are not scrambling during the audit. Every department is going to have a different set of personnel to make sure it is compliant.

2) Do Listen to CIP Auditors’ Advice

I have worked with the CIP audit and compliance teams in every region across North America. Your auditors have a lot of experience. They have seen more implementations, configurations, environments and procedures than you could ever imagine.

Listen to them if they talk about best practices or advice for additional approaches towards demonstrating compliance. Sometimes it can really help open your eyes to a different point of view.

1) Don’t Argue Over Every Word

During old CIP Version 3 audits, I have seen words like “significant,” “annual” and other non-defined terms used in every possible way you could imagine. Of course, some of that language has been cleaned up in the modern CIP standards, but you get the point. If you do have an undefined term, ensure you define it somewhere in your internal documents to show the audit team what you mean. Listen to best practices across your region and from NERC. Don’t try and re-invent the wheel.

These are just some basic tips I have personally experienced along the way. Audits are going to be tough no matter how prepared you are. Knowing that going in is half the battle. Make sure you have a plan, get your employees to communicate that plan, and execute. If every program was perfect, we wouldn’t need these types of compliance regulations. Mistakes happen, and how you learn from these mistakes is the goal of a successful compliance program.

Learn more about how Tripwire can help make your NERC CIP audit simpler, including insights on generating RSAWs and responding appropriately to pre-audit requests, by downloading a new paper here.

 

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

Proactive System Hardening: Continuous Hardening’s Coming of Age

The first article in this series examined configuration hardening—essentially looking at ports, processes and services where security configuration management (SCM) is key. The second article looked at application and version hardening strategies. This third installment will discuss the role of automation in the coming of age of what’s called “continuous hardening.”

Known Vulnerabilities vs. Conditional Vulnerabilities

If I want to harden my systems against “known vulnerabilities”—weaknesses or deficiencies for which there are known common vulnerabilities and exposures (CVEs)—I use a vulnerability management solution. If I need to harden my systems against “conditional vulnerabilities”—weaknesses based on the way they’re configured—I use an SCM solution. But without automation to provide the element of “continuousness” to these efforts, we rapidly find ourselves back at square one.

What is Configuration Drift?

To stick with our house analogy: If I’ve checked the configurations of all my doors and windows, but I have no way to know when the state has changed and I instead rely on periodic inspection by human eyes, a phenomenon known as “configuration drift” invariably occurs.

I open the fire escape window to water the potted hydrangea sitting out there but forget to close it afterward: configuration drift. I enable Telnet to maintain or update a server and then forget to disable it afterward: configuration drift.

The Role of Automation in Continuous System Hardening

A primary weakness of our house analogy is actually useful here, as it shows us the critical need for automation. In real life, most people have one house. But most organizations have hundreds—if not many, many thousands—of servers, desktop systems, laptops and devices. These represent an almost inexhaustible supply of attack surface and potential beachheads. How can we win a war at this scale?

Automation requires us to not only create continuous, ongoing routines to assess states across this vast array of targets, but it also requires us to make allowances for the constantly changing conditions that give meaning and relevance to risk.

In the case of our house, it’s useful to know that, over the last two years, the leafy maple out back has grown a large solid branch that’s close enough to an upstairs bedroom for a tall thief to reach the window. And the inverse is sometimes true: If the old kitchen window was painted shut twenty years ago, who needs to waste time including it in our daily “is it locked” checklist?

This critical need for current “state” information has caused the security community to create more persistent real-time agents, more effective scanning processes that are “aware” of network constraints and ways to avoid “mega scans” in favor of continuous segmented scanning.

Integrating Disparate Security Systems

They’ve also broken down barriers between infosec solutions themselves and addressed another critical requirement for achieving this attribute of “continuousness”: Information security systems must talk to one another. A few simple examples illustrate this need:

  • Vulnerability Management: Vulnerability management (VM) systems are quite good at finding unexpected (and likely unsecured) systems. When one of these is discovered, the VM system can tell the SCM system about the new asset and ask it to perform an on-the-spot configuration assessment.
  • Security Configuration Management: Similarly, SCM systems are evolving intelligent ways to classify assets: by business unit, by system owner, by critical application, and even by the type and criticality of data stored on the system. This helps manage and prioritize their own risks, but when shared with a VM system, this also helps clarify and prioritize remediation efforts.
  • Security Information and Event Management: Both of these systems are being used extensively by SIEM systems as a foundational source of security information: in the first case, correlating known vulnerabilities with detected threats, and in the second case, using sudden configuration changes (“Why is the ‘Telnet should not be enabled‘ test suddenly failing?“) to power real-time threat intelligence models.

SC Magazine summed up these needs in a prescient review of policy management systems—what we’ve called “security configuration management” systems in this article—way back in 2010: “The only reasonable answer to the challenges of compliance, security and configuration management is to automate the tasks.”

The key to continuous system hardening as a goal and a discipline is a willingness to seek out and employ automation wherever possible. Gone are the days when isolated, siloed systems can harden information systems and keep them that way in the face of continuous drift.

Highly interactive solutions that understand the ever-shifting nature of “state” and talk to each other regularly—security configuration and vulnerability management solutions in particular—are the first, best and often the last line of defense.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

Proactively Hardening Systems: Application and Version Hardening

The first article in this series examined configuration hardening, essentially looking at ports, processes and services as the “doors, gates and windows” into a network where security configuration management (SCM) becomes the job of determining which of these gateways should be open, closed, or locked at any given time. Now it’s time to look at application and version hardening.

What is System Hardening?

If configuration hardening settings are “conditional,” meaning they must find and keep that balance between security and productivity, then hardening against known vulnerabilities in applications and versions is much more black-and-white.

If an exploit path has been found in an operating system or application, the vendor rushes to create a patch or upgrade that removes the vulnerability. “Hardening” in this sense means “making sure the holes are known and that the most current security patches are deployed.”

One Way Hackers Exploit Known Vulnerabilities

To go back to our “secure house” analogy from the previous article in this series for a moment, imagine that the house I’m protecting has three external doors and that they all use Secure-A-Door Model 800 high-strength locks.

But a tester at the Secure-A-Door factory (or worse, a professional burglar) has just discovered an interesting thing: If you slide a credit card along the door jamb at 15 degrees while pulling up on the handle, the Secure-A-Door 800 pops open like a Coke can.

One of the most famous examples of this exploitation began in 2008. That’s when the makers of the Conficker worm discovered and exploited an underlying weakness in Port 445 of the Windows operating system.

The worm created a remote procedure call that dropped a DLL on the system, unloaded two distinct packets for data and code, and hid itself in a remote thread to make itself at home. (It was infinitely more complex and clever than that, but you get the idea.)

In effect, the worm popped the Secure-A-Door Model 800, let itself in, repaired the lock, installed a new phone line to listen for orders, and sat in a comfy chair waiting for instructions. It was able to leverage the internet, could register new domain names in which to hide, and created an extensive botnet that by 2010 had infected, according to Panda Security, as many as 18 million PCs—6 percent of the world’s PC population at the time.

Common Vulnerabilities and Exposures (CVEs)

This type of design failure or exploit is usually repaired by a patch. In the case of Conficker, Windows Security bulletin MS08-067 made the danger known to the worldwide Microsoft community and introduced a patch to prevent easy violation of Port 445.

The MS bulletin was in turn translated by the Common Vulnerabilities and Exposures site as CVE-2008-4250 and given a Common Vulnerability Scoring System (CVSS) rating of 10—the most severe rating possible.

Vulnerability Management

Vulnerability management (VM) systems, unlike SCM systems that check to see that doors and gates and windows are locked, do their part in system hardening differently. They make sure the proper patch levels are maintained and that any available defenses have been utilized. Using our analogy, we’d be conducting the following checks:

  • Proactively discovering whether I have any Secure-A-Door Model 800 locks installed
  • If I do, reporting on whether they’re the corrected “B” version made after October 2012
  • Verifying that any “bad” ones I have are only on inside doors and don’t serve as a primary defense

VM systems enable continuous hardening by making sure that CVE-2008-4250—and its many thousands of friends—are understood, mitigated, and more-or-less unexploitable when the right steps are taken.

More mature solutions provide an ongoing assessment of overall risk based on whether these vulnerabilities are mitigated or ignored.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page