Monthly Archives: October 2017

It’s still taking many healthcare organizations far too long to discover a breach — much longer than in other sectors.

From left: Stephen Boyer, Anahi Santiago, Shirley Golen Chris Logan and Dan Costantino participating in a panel discussion at HIMSS Healthcare Security Forum in Boston.

When it comes to healthcare security, security experts would rank the industry in the middle or toward the lower end of the pack, according to a panel of security leaders at Monday’s Healthcare Security Forum.

That because it’s still taking many healthcare organizations far too long to discover a breach — much longer than in other sectors, according to BitSight Technologies Co-founder And Chief Technical Officer Stephen Boyer.

According to Boyer, healthcare is in the middle and needs to work on remediating systems and improving patching and blocking policies. And its users are only amplifying risks by falling victim to malicious attacks.

Chief Information Security Officer of Christiana Care Health System Anahi Santiago would rank healthcare even lower, as the industry struggles with operational challenges. The need for accessibility in healthcare can prove challenging when it comes to the security team applying updates and patches.

“The threat landscape keeps getting worse and worse, and we can’t work at the rate the bad guys are moving,” said Santiago. “I think the industry is going to go backwards before it moves forward.”

Part of the problem is that healthcare is missing critical components — including IT and security hygiene, said VMware Senior Healthcare Strategist Chris Logan.

“Why are we still, in this day and age, with all of our high-tech information still missing the user?” said Logan. “We need to educate the user: enable them to do the right thing to get back to security hygiene.”

Penn Medicine CISO Dan Costantino finds the issue with healthcare’s security can boil down to culture. Much like Santiago, Costantino said that healthcare security will take a large step backward before it goes forward, as healthcare is a “reactionary culture.”

“The culture and mindset of being proactive is just foreign to so many levels of healthcare,” said Costantino. “So many departments are struggling now: something major is going to have to happen for that culture to shift.”

And the need for the shift will only increase as threats continue to become more sophisticated and prolific.

For Santiago, the greatest threat is the “speed of which we’re adopting tech and the fact that as security professionals, we need to keep up with that pace.”

This includes not only threats on the network, but the devices given to patients to take home, Santiago said. But her biggest fear is the vulnerability of systems and the potential inability to care for patients.

“There are so many different threats that can happen in a health system. And if we can’t take care of patients, we’re not doing what we set forth to do,” said Santiago.

Another less visible issue is asset management. According to Boyer, it’s a big challenge for IoT. There are millions of orphaned devices and millions of vulnerable devices that aren’t managed or tracked.

To get healthcare up to speed on its security needs, Logan said that security teams need to keep having those tough conversations up the chain of the organization.

“The patient is relying on you to have that conversation: Do what you have to do within your organization to make sure the risks are mitigated,” said Logan.

Costantino agreed: It’s all about people. But the issue is the story organizations are telling — aren’t right.

“Some security teams and system admins think end users are stupid. But that’s not the case,” said Costantino. “It’s that people don’t think about security the way you do. If you look at your policies, you can see why people act the way they do.”

“At the end of the day, it’s a business-level effort,” he said.

via:  healthcareitnews

Tackling the shortage of cyber security skills tops the agenda for the Security Serious Week, an industry initiative aimed at helping organizations become more security savvy.

The third annual Security Serious Week from 2 October 2017 will feature an entirely virtual summit, accessible to anyone who is online.

The summit consists of webinars on the subject of building awareness and bridging the cyber skills gap through creativity and diversity.

The organizers have brought together professors, scholars, entrepreneurs, researchers, incubators, journalists, practitioners and visionaries to discuss the issues surrounding the cyber skills gap in the UK.

Five panel-style webinars throughout the week will look at how companies can take advantage of UK schemes and programs to make it a thriving cyber security hub, at artificial intelligence, and at how to think outside the traditional route to a cyber career to get all of the right people in place to avoid becoming the next subject of a major attack.

“The essence of the summit is to encourage companies and individuals to think about their security – so that the UK becomes a safer more educated place to do business,” said Yvonne Eskenzi, founder of Security Serious Week and co-founder of Eskenzi PR.

“It is no secret that the UK is hugely under-resourced when it comes to having skilled people to protect our UK businesses, especially with the increasing and constant onslaught of cyber attacks thwarting businesses. This year’s theme aims to get people thinking outside of the box about how they address the cyber skills gap.”

Security Serious Week coincides with European Cyber Security Awareness Month and is supported by industry experts, who are offering their time and free advice to help UK companies protect, as well as educate, themselves.

Panelists represent some of the industry’s best and brightest minds, including Adrian Davis of (ISC)², Quentyn Taylor from Canon and Crest’s Ian Glover to Emma Jones from the National Autistic Society, Shan Lee, CISO of Transferwise, and Andy Jones, professor at Hertfordshire University.

Data breaches and cyber-attacks affect all UK businesses and this year is all about people. The summit kicks off with a session on 2 October to set the scene and look at some ways UK organizations can tackle the skills gap as well as the potential challenges of Brexit, chaired by Warwick Ashford, security editor of Computer Weekly.

Other session topics include incentives that make the UK an ideal cyber security hub, chaired by Sarb Sembhi of Virtually Informed; artificial intelligence, chaired by Pete Warren from Future Intelligence;  creative employment, chaired by Vicki Gavin, CISO of the Economist Group; and neuro diversity, chaired by Brian Higgins from (ISC)².

Anyone can join these sessions or watch them later on demand by registering on the Security Serious website.

In addition, Security Serious Week will host the second annual Security Serious Unsung Heroes Awards in London on the evening of 3 October. The event honors the unsung heroes who work tirelessly to avert disasters from attacks against our critical national infrastructure, defend their networks from the daily onslaught of breaches and highlight the cyber pitfalls to educate everyone.

The Security Serious Unsung Heroes Awards are made possible with the support of Mimecast, Gigamon, GSK, SE Labs, Canon, Eskenzi PR, Lastline, (ISC)², Crest, Barracuda, Smile on Fridays, 1E, Firemon, It Security Guru, Corero and the Charities Security Forum.

via:  computerweekly

If you approach GDPR as if compliance is all that matters, then you’re bound to fail – data protection should be at the heart of business strategy.

Unless you’ve been on a retreat to outer space, you may have noticed a bit of noise about the European Union’s (EU’s) General Data Protection Regulation (GDPR).

It’s everywhere across the industry, with the security sector prominent in promoting the fear, with a whole plethora of newly self-proclaimed experts to the fore.

Apparently, the world and its mother can make you GDPR compliant, at a variety of costs, while delivering a variety of value – if any at all. In every aspect, it is all about compliance, with the majority of noise from organizations being about the need to comply with GDPR.

If you’re focusing on compliance then you are likely to be ineffective, but maybe you will manage to tick a few boxes along the way. You might get a feeling of being “fully compliant”, but even then is it a point-in-time view.

Of course, being compliant with the regulation is a good thing, but it does not protect you from a breach of your data, nor the business impact a breach would have. There is no evidence to support the view that being compliant will reduce the chance of a data breach.

A dose of reality

It’s not just fines that you should worry about, but stock value, potential class action and customer trust, for example. This isn’t to throw more fear at you like everyone else, but to offer a little dose of reality.

You are not going to prevent every attack or mishap imaginable, and nor should you aspire to, but can you demonstrate reasonable measures in the safeguarding of that data? Can you protect the value of that data to your organization? Your corporate objective is therefore not to map to the law, but to protect data.

The key to GDPR, and every other regulation in this space, is a sound approach to data protection across the organization. It’s not a security or a technology problem, but a holistic business problem.

GDPR is just the latest regulatory theme, building on the 1998 Data Protection Act (DPA), founded on taking care of, and lawfully processing, personal data.

It’s a new regulation, but data protection is not new. The requirement to protect data has always been in place, but this is another shot in the arm, with potentially far more serious consequences for those organizations that cannot demonstrate they are taking data protection seriously.

It is time to stop flirting with data protection. Your customers, employees, senior stakeholders and regulators are demanding that you get married to data protection, and that you show evidence you are taking it seriously.

Compliance is futile

Focusing purely on compliance is the wrong approach. There have been many compliant organizations that still encountered serious issues with data protection, and suffered significant impact as a result.

Those organizations were compliant with regulations and yet got breached and still suffered – how can that be? Because focusing on compliance only gets you so far. It’s a narrow scope, when data protection isn’t narrow at all.

Of course, the initial focus is always to “pass the test”, not to actually improve and mature. It’s almost always a point-in-time assessment, only revisited when a regulation dictates or for the purposes of inclusion in the annual report.

How often have we seen an annual report, where the board refers to its confidence in the company’s cyber security and the assessment undertaken by an expert? Ask yourself, how static was that assessment, the scope, who undertook the investigation, how thorough was it and what were the limitations therein?

A true approach to data protection should be embedded into your business, strategies, transformation and commercial arrangements. This will lead to a far more mature stance, and with that comes compliance.

Shades of grey

A rather large number of organizations are not complaint with DPA today, so let’s not pretend everyone is going to be compliant with GDPR tomorrow, or even close.

However, being ignorant of a law has never amounted to a good defense and it will be interesting to see how many organizations report breaches once mandatory reporting comes into effect in May 2018.

The trouble with GDPR is that it is a regulation, and regulations are rarely black and white. There’s plenty of grey in there, although it has been generally well thought out and in most cases a layman can grasp the basics. We will only begin to understand the final position of some aspects through the results of the inevitable court cases and legal challenges.

What is needed is sufficient subject expertise and business knowledge to make a sound judgement. In each case it does depend and it is always a risk-based decision, but you will struggle if you fly blind.

However, the raising of the value of potential fines – up to €20m or 4% of your global revenue – from the insignificant amounts under DPA may show intent on the part of regulators, and I fear for those organizations that take a wait-and-see attitude, with no intention of becoming in any way compliant come May 2018.

What does the market say?

The market mostly talks about compliance, but there are a series of different solutions.

Let’s start with the cheap and cheerful few-hundred-pound useless assessment. It’s not always the case that you get what you pay for, but with a complex subject such as data protection, or even GDPR, then you really will get what you pay for. A few hundred pounds for even a light-touch GDPR assessment – a law that took the Council of the European Union years to settle on and that runs to 260 pages? Give me a break.

Then there are the more comprehensive consultative engagements. How many of these  involve cut-and-paste consultancy, and how much value they actually drive? I’ve seen a lot of these reports gather dust on a shelf, which is why it’s often referred to as shelfware. It’s also often a lead into a longer engagement.

There’s nothing wrong with that, but I struggle to see where the intelligent customer comes to the fore in terms of determining the right next steps and prioritization.

It requires serious practical knowledge, experience and business empathy to determine what’s possible, what should be done in what order, and what should just be documented and accepted in terms of risk. The truth is the consultants have no interest in empowering you. It is the tail wagging the dog in many cases.

A blinkered approach

Another common approach is in software systems that look to address certain aspects of GDPR/data protection.

For example, discovering your data and encrypting it is the panacea offered by many. It sounds good, but is a very blinkered approach in terms of actual data protection, and negates the fact that no system will discover all of your data. Of course, data also needs to be accessible, so the encryption cannot be a processing overhead.

As an attacker, I’ll compromise something that has legitimate access to the data, this system will decrypt it for me and then I’ve got your data. That is the path of least resistance.

The final common offering comes from the hundreds of firms suggesting they can make you GDPR compliant without first understanding your business. This is impossible.

Each business is different; unique in its own ways. It’s the same for data breaches – what can we learn from an organization being breached? Nothing at all.

Data breaches are different from your organization in so many ways as to make it nigh-on impossible to draw anything significantly worthwhile beyond the fear of another organization being breached.

If you don’t understand the nuances and complexities of an organization, their processes and future vision, then how can you ever offer to make them compliant with anything? These off-the-shelf, one-size-fits-all systems are also useless.

A lot of organizations will be spending an immense amount of money ineffectively.

To DPO or not to DPO?

We have an acknowledged the cyber skills gap – or chasm. We can argue over the breadth of that gap, but one does exist. If you are looking for appropriately skilled security resources, then the gap widens.

Now we have another role that requires some very similar aspects of expertise – maybe not the ninja-grade examples that have been trotted about, but we need someone who is cognisant of GDPR regulations, the theme of data protection, the business, processes and all that goes with it.

There is a big job market looming as headhunters race to fill the skills gap, with a rigid interpretation of GDPR suggesting that tens of thousands of data protection officers (DPOs) are going to be required, and a lot of people and organizations that can make money out of exploiting the opportunities.

From your perspective, how do you know what to look for, or that what you’re hiring or contracting is any good? How will you measure it when most of the time it will be hidden from you? You could probably be a terrible DPO and get away with it, as most organizations will be wholly ignorant, without any means to test the value of their investment.

It is going to be tough to find the right resource, with the right level of gravitas and remuneration to make a good fist of this. It is hard, but it is also very much doable, if you get it right.

A proper practitioner

You could always outsource your DPO function. That’s fine, though again you must be an intelligent customer and do your homework. Most consultancies won’t provide someone with extensive experience as there aren’t that many to go around.

I would recommend understanding what that outsourced DPO has ever done in this space and where. If they’ve only ever done theory, then don’t hire them.

Look for someone who understands what it is to truly assess an organization and make demonstrable positive changes – somebody who understands risk and business process. They will be hard to come by, but then why are you hiring a DPO unless you’re taking data protection seriously?

When you look at the skillset as specified in GDPR Article 39, which covers the DPO requirement, don’t you think that person would be an excellent addition to your team? Unless you’re just ticking an “I’ve got a DPO” box, in which case, good luck.

The DPO should be a proper practitioner – not a hobbyist or a fresh-out-of-university graduate, but someone with some battle scars, who has succeeded and made mistakes.

Don’t go for someone who only knows theory, but someone who has worked at the coalface in complex organizations and still managed to deliver positive outcomes that are transparent to the business operation and support the business vision.

Are you doing it wrong?

If you’re simply aiming to be GDPR compliant, or if you’re running GDPR compliance as a security program or looking to tick boxes, then you’re doing it wrong.

If you’re trying to do it on the cheap because you can’t see the value of a robust and resilient data protection strategy, then you’re doing it wrong, and you’re taking a significant risk.

Data protection doesn’t have to be expensive. It needs to be focused in the right areas that will provide a demonstrable return and a demonstrable improvement from a current position. To garner a current position, you must understand the business. It cannot happen any other way.

An assessment is key to enable an organization to be an intelligent customer and seek to remediate specific risks, to provide the legal teams and the board with a position which can be defended. There will be lots of quick wins to demonstrate that a data protection program is having a positive impact, even just for your lawyers.

Business strategy

Data protection should be embedded at the heart of your business strategy and business transformation. It enables you to build data protection by default in all that you do. It isn’t easy, but it is a business imperative and does enable you to use your transformation to your advantage in terms of data transparency and safeguarding.

If you retro-fit data protection to your programs you will likely extend costs by roughly a third. Retrofitting security or data protection is hard, cumbersome, expensive and tends to be detrimental to the overall business outcome of the change. Building it in up front allows you to build transparent data protection that is in no way inhibitive to the desired business outcome.

All too frequently companies miss opportunities to adapt or take advantage of change. Detecting “fault lines’’ is essential to survive, and when it comes to the corporate objective to protect data, you kind of think: where are you as a business leader to be missing or dismissing all the warning signs of a big fault in your business?

Be intelligent in how you do it, and don’t just look to “buy” data protection – it doesn’t work.

via:  computerweekly

Equifax Inc. will debut a new service that will permanently give consumers the ability to lock and unlock their credit for free.

The service will be introduced by Jan. 31, Chief Executive Officer Paulino do Rego Barros Jr. wrote in a Wall Street Journal op-ed Wednesday, a day after taking the helm. The company will also extend the sign-up period for TrustedID Premier, the free credit-monitoring service it’s offering all U.S. consumers, he said.

“The service we are developing will let consumers easily lock and unlock access to their Equifax credit files,” Barros wrote. “You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.”

Barros was named interim CEO on Tuesday, less than three weeks after Equifax disclosed that hackers accessed sensitive data for 143 million U.S. consumers. Former CEO Richard Smith will appear before Congress next week, and lawmakers have demanded more information on how the breach happened, while faulting the company’s efforts to alert victims and help them safeguard their finances.

“We compounded the problem with insufficient support for consumers,” Barros wrote in an op-ed posted online by the Wall Street Journal. “Answers to key consumer questions were too often delayed, incomplete or both. We know it’s our job to earn back your trust.”

TransUnion’s Service

TransUnion, a rival credit-reporting company, also offers a free credit lock called TrueIdentity “and we have for some time,” company spokesman David M. Blumberg said in an emailed statement. He said the service allows customers lock or unlock credit reports online or using an app. A representative for Experian Plc, another rival, didn’t immediately return a message seeking comment.

Enabling consumers to easily turn off credit locks could help lenders including Synchrony Financial and Ally Financial Inc., Vincent Caintic, an analyst at Stephens Inc., wrote in a note Wednesday.

“We think this will alleviate concerns that consumers freezing their credit access from the bureaus will slow loan origination growth and increase customer acquisition costs,” Caintic said. “We have been most concerned about credit cards, particularly those applied at the point of sale, as well as auto lending at dealerships.”

Equifax’s free services are likely to hit fees at its global consumer solutions unit. That division produced $402.6 million in revenue in 2016, or 13 percent of the company’s total, in part from monitoring products such as Equifax Complete, ID Patrol, Credit Watch and Score Watch. The unit also sells credit information to resellers who offer their own monitoring services to individuals.

via:  bloomberg

No one would use a secure messaging service like Signal if you couldn’t find out who else was on it — but how can you trust Signal and others not to snoop when you submit your contacts for it to check against its list of users? You shouldn’t have to — it should be impossible. That’s the intention of an update to the app that makes contact discovery even more private.

It’s not that Signal or someone else was collecting this info to begin with — it’s encrypted the whole way, so really it’s already pretty safe. But say Signal were to be hacked or secretly taken over by the NSA. If this evil-twin Signal looked really closely, it could probably figure out who certain users were searching for monitoring for known hashes. That info could be used to de-anonymize users.

Signal’s Moxie Marlinspike, who hinted at this upcoming feature at Disrupt last week, writes up the team’s approach to making sure that even that far-flung possibility is impossible.

The technical details I’ll leave to him to explain for obvious reasons, but the gist is this: Conceivably, Signal’s servers could be surreptitiously logging every tiny action being taken, from which user info is being accessed to the exact location in memory where a response is written.

Think of it like this: Even if what someone is reading or writing is hidden from you, if you watch closely you can tell where the pencil is and what movements it’s making. If you know the list is alphabetical, and that the first name is X letters long, that narrows it down considerably.

This kind of ultra-low-level attack, on the level of RAM monitoring and so on, has to be considered or you risk underestimating your adversary.

Fortunately, fast becoming a standard in chips is a “secure enclave” that can perform certain operations or store certain data that’s inaccessible to the rest of the OS. Apple has one for Touch ID and Face ID, for instance, so the rest of the OS never sees your biometric information — and therefore can’t give it up to hackers or three-letter agencies.

By using this enclave and carefully manicuring its technique in querying the main database, Marlinspike and the team made it possible for users to check their address book against the main Signal list without anyone but the users themselves seeing the list or results. The enclave also checks to make sure Signal’s servers are running the code they’re supposed to be.

There are still a few opportunities for this hypothetical evil Signal to snoop, but they’re decidedly limited — much more so than before. That reduces the amount of trust you have to place in them — though you still need to trust the secure enclave, the encryption method, and so on. But the fewer links in the trust chain, the better.

This feature hasn’t rolled out to everyone yet; it’s still a “beta technology preview,” but is planned to roll out after testing in the next couple of months.

via:  techcrunch