Compliance

In a previous blog on healthcare information access concerns, I had expressed concerns for internal origins for data breaches. Further research to help mitigate some of these concerns has led to an observation that many data breach incidents could be funneled to a few common origins. The intent for sharing below some of the more unusual or high profile cases is to drive home the point that it really does happen in real life. And passive awareness of regulatory controls are not enough; active exercising and use of in-place policies is necessary.

Be it intentional, malicious or accidental HIPAA information disclosure, information leak occurs. Continue reading

The Weakest Link is…

2018 was a record year. But not in a good way. U.S. organizations paid out a record $28 million in settlements or judgments for data breaches 1. That number was boosted by Anthem’s $16 million settlement for the largest healthcare breach in history.

But information security is getting better, isn’t it? Alright, fines for the year is not reflective of the number of data breaches for the same year, after all, the actual breaches for the fines mentioned above occurred years prior. Such as, the Anthem cyber-attack occurred in 2014 and 2015 2, and the $4.3 million judgment against the University of Texas MD Anderson Cancer Center occurred in 2012 and 2013.

In the Protenus 2019 Breach Barometer Report 3, the U.S.Department of Health and Human Services HHS reported 503 health care data breaches that compromised over 15 million patient records. That is up from 2017 of 477 data breaches with 5.5 million patient records. A 5% increase in number of breaches resulted in triple the number of patient records compromised.

How data was compromised varied from stolen/lost credentials, unauthorized insider access, “hacking” from an external source, human error, and phishing. One of the most common vector for intrusion comes through 3rd party vendors.
Continue reading

Complex Does Not Equal Strong

Another year, and again, another annual report (this one from SplashData) lists the easy and bad passwords have remained relatively unchanged.

As a domain network administrator, you may not be terribly concerned. You think you have a robust password policy as well as an account lockout policy to prevent brute force attacks. Your users cannot use any of those simple passwords on that list. No simple guessing a password is going to let an attacker into your network. Think again.

Most corporate domain password policies require complex passwords with a minimum password length. Many implement a minimum password length of 7 through 10, and with most password complexity rules, passwords should contain characters from 3 of 4 categories: uppercase, lowercase, numerals and special characters. Often times, the password is also restricted from containing the account name as well.
Continue reading

Healthcare information access concerns

“Healthcare…the only industry where employees are the predominant threat actors in breaches.” Straight out of Verizon’s 2017 Data Breach Investigations Report, p.22. No, no, no, you can’t lock out all your employees completely from the hospital network; The nurse needs to get to my medical profile to know what and how much of a drug dose to give me.

The healthcare industry has to balance between securing large amounts of private and sensitive data, yet allow quick access to it for doctors and nurses, emergency and healthcare personnel. 68% of threat actors within healthcare are from internal, and 64% of all incidents and breaches are financially motivated. And 80% of breaches are due to abuse of privileges, physical theft or loss and miscellaneous errors 1.

* The above image captured from Verizon’s 2017 Data Breach Investigations Report, p.22

Internal threat actors could be:

Continue reading

Encrypt That Drive

Promise me you’ll return to this blog piece, but go ahead and open a new tab and search for “stolen laptop.” Filter the search results for a specific year. Or refine the search within an industry, eg. healthcare or financial. Too many results. Too many incidents. The U.S. Department of Health and Human Services, Office for Civil Rights, has a breach portal – https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf – only incidents involving more than 500 PHI records are in the database. Search for theft of laptop.

Continue reading

They Price It Right! Come on down…

Healthcare from United States, come on down! Welcome to “They Price It Right!” There goes the industry, high-fiving all the other industries in the studio as it rushes towards Drew Carrey and the stage. And pays the ransom.

In 2017, healthcare organizations accounted for 15% of all security incidents and data breaches, second only to financial institutions (from Verizon’s 2017 DBIR). 66% of malware was installed through either email links or attachments. The healthcare industry has also been hard hit with ransomware in recent years.

* The above images captured from Verizon’s 2017 Data Breach Investigations Report

The last several years have seen a dramatic increase in ransomware within healthcare. To quote the CEO of an organization that DID pay out the ransom demand, “These folks have an interesting business model. They make it just easy enough. They price it right.” Symantec’s ISTR on Ransomware 2017 reports the average ransom demand “appears to have stabilized at US$544 indicating attackers may have found their sweet spot.” Ahhh…can just picture the blackmailer getting a notification that their target had succumbed and paid up…that hit the sweet spot.

However, a reminder; a $500 ransom may not seem much to an organization with millions or billions in revenue, but that’s per infection (sorry, pun not intended as we’re discussing the healthcare industry). Dozens or hundreds of infection can easily tally up the ransom to total in the tens or hundreds of thousands.

Furthermore, paying the sweet spot ransom does not guarantee even a bittersweet outcome. SentinelOne’s 2018 Ransomware Study shows 42% of ransom payments did not result in data recovery. 58% demanded a second payment.

* The above image captured from SentinelOne’s Global Ransomware Study 2018

Most ransomware is delivered through email. Phishing. Spearphishing. Targeted targets. Email addresses for an organization can easily be harvested using readily available open source tools. 15 minutes to create a phishing campaign with the newly found targets with a link or malicious attachment. The context of the email can be social media related, user needs to reset their password, they have a package that was undelivered, the CEO has attached a memo addressed to all staff. The recent Russian indictments – regardless of the reader’s political leanings – are proof that PHISHING WORKS! (Also blogged here in stateofsecurity.com)

Technology has come a long way – email filters, domain verification, Sender Policy Framework, malware and link scanners – plus many more help in filtering out the 50-70% of the email traffic that is spam. But they still get through. I know for one my Inbox is not spam-free or devoid of any phishing messages.

Since technology is not at the point where it’s able to stop all phishing email, it is up to the user to NOT click on that link or attachment. Sure, there are technologies that prevent bad things from happening if a user DOES click on a phishing link or malicious attachment. But then again, technology is not at the point where they are 100% effective.

Businesses with big budgets buy all kinds of hardware and software solutions to try to counter phishing. But they ignore a big piece of the phishing attack model, and that is the end user. And here, education and training is imperative.

Repeating phishing exercises should be conducted on all or selected groups of employees. These campaigns should be at not-too-regular intervals, so as not to evoke an anticipation from the employees – alright, here come some vaguely suspicious email on the first day of each quarter; I’ll just delete them. Then the rest of the year, they blatantly open, view and click on any and all email links. The simulated campaigns should be randomized and as unexpected as possible.

These campaigns should also be followed up with some education, either some static web pages, training video or live in person session. Phishers are always coming up with new tricks and methods. As a result, end users should be brought up to speed with their new tricks. A couple academic research papers on the efficacy of phishing training demonstrate that EDUCATION WORKS! (links under Resources below)

Then there needs to be a culture of non-retribution. Phishing exercises should be conducted with learning as the objective. Employees should come away with a heightened awareness of phishing and the social engineering tricks used by phishers that make you just want to click that link/attachment.

Employees should be encouraged to report any suspicious email so that word gets around. Homeland Security’s “See something, say something” campaign applies here too; someone is perhaps targeting your firm, alert your fellow colleagues.

Resources:

https://www.verizonenterprise.com/resources/reports/2017_dbir_en_xg.pdf

https://go.sentinelone.com/rs/327-MNM-087/images/Ransomware%20Research%20Data%20Summary%202018.pdf

https://www.healthcaredive.com/news/must-know-healthcare-cybersecurity-statistics/435983/

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf

https://blog.barkly.com/phishing-statistics-2016

http://www.cs.cmu.edu/~jasonh/publications/apwg-ecrime2007-johnny.pdf

https://www.usenix.org/system/files/conference/soups2017/soups2017-lastdrager.pdf

https://www.dhs.gov/see-something-say-something/about-campaign

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

Prescription pharmacy bags – do you just trash them?

When you get your prescription filled at a pharmacy, the medication is usually dispensed in amber colored pill bottles packaged in a pharmacy paper or plastic bag. Once the medication has been consumed, many discard or recycle the bottles.

There have been several articles on how to remove the sensitive information contained in the medication labels on the bottles. The information include the patient’s name and address, name of doctor and medication details. Recommended methods of removing the information include striking them out with a marker pen or removing the label. Some locations will accept the bottles and remove the labels and information for you, and recycle the bottles.

However, nothing is said of the pharmacy paper or plastic bag that the pill bottles come in when you get them from the pharmacist. When I get my meds from the pharmacist – from a big name national grocery store – I am asked for identification to receive them. I am asked of my name and phone or birthdate, and they verify with the information printed on the bag.

Most people are not aware of or don’t consider the information on the front of these bags. The information can be much more sensitive than what’s on the pill bottle labels. These bags are thrown in with the trash, never shredded. That leaves the information vulnerable to dumpster divers and identity theft.

The pharmacy bags the big grocery store dispenses the prescriptions in are sealed plastic bags. I can’t shred them so I stretch and tear the plastic to destroy the information. Most people will not take the trouble to do that. I have spoken with the pharmacist at the location I pick up my medications at with my concerns. Their process is obviously not up to him but perhaps he could pass on the concerns.

Take note of the label information your medications come in, not just the pill bottles but the pharmacy bag. Your private information is not only on the pill bottles but on the bag when they hand you your meds. Dispose of these packaging appropriately.

 

Resources:

http://rxoutreach.org/education-understanding-prescription-medication-labels/

https://www.popsci.com/old-medications-prescriptions-disposal

It’s OK to save all my passwords in Word, no?

In a follow up to my last blog on password managers, many of my family members and friends have still not picked up on the habit of using them – mostly because of the refused acceptance that there is a small price to pay for increased security; the price being a couple clicks to bring up the password manager app to look up the password for a web site login.

Password managers are still what is recommended to store unique and complex passwords for each authentication/login credentials you may have each domain, computer, web site. But for those family members and friends who have refused to adopt a password manager, I recommend the following.

Instead of saving your passwords in a Word document, save your password hints. We’ll get to how to write these hints later. Save the Word document encrypted, and make the filename something less obvious than passwords.docx – maybe “Favorite Movies.docx.” Depending on PC/Mac version, the encryption feature is found in the Save process under Tools or Options, Security. This is one password you need to remember – make it a good and memorable one.

You may think, Word encryption is not the greatest. True. But this layer of security – encrypting the document with a non-enticing file name – at least keeps the nosey, non-hacker person who might come across your file.

As to what information to keep in the file, you don’t want to store your passwords as-is (in plaintext) in a Word document, even though the file may be encrypted. You should only store information that can help you remember the password. For example, if your passwords are famous movie quotes, to remember the credentials for 2 sites could be saved as:

ebay.com = Clint Eastwood

amazon.com = Jack Nicholson

Each of the above actors has a famous, iconic movie line, and using a consistent transformation method on those quotes, the actual passwords for the sites would be:

ebay.com = gOaheaDmakEmYdaY

amazon.com = yoUcanThandlEthEtrutH

In the above example, the actual passwords are formed by capitalizing the last character of each word in the password hint, and eliminating all spaces and special characters. This transformation process should be memorized and be consistent for all the passwords saved in the Word document.

You can choose whichever transformation process, as long as it’s consistent so you can remember and don’t have to write it down somewhere, eg. capitalize the last 2 characters of each word or capitalize the second character of each word or substitute every first character with a number.

This way, if someone gets a hold of your Word document, and manages to decrypt its password, they will only have a list of password hints, that only you can transform into the actual passwords.

Some other examples of passwords and password hints that you could use:

  • Names of friends and family members, with their birth years as passwords, and the city where they live as password hints, eg.
  • Save in the Word document your password hints:
  • ebay.com = Denver, CO
  • amazon.com = Chicago, IL
  • And from the above password hints, you know your best friend lives in Denver and your aunt in Chicago.
  • Password for ebay.com = JimmyJones1989
  • Password for amazon.com = GertrudeSmith1955

You could even do this:

  • Save in the Word document the following password hints:
  • ebay.com = Go ahead. Make my day.
  • amazon.com = You can't handle the truth!
  • And from the above password hints, use your memorized transformational process, eg capitalize the 2nd character of each word.
  • Password for ebay.com = gOaHeadmAkemYdAy
  • Password for amazon.com = yOucAnthAndletHetRuth

This is “security through obscurity” – much of the information is available but in order for the information to be effective (for the passwords to work), they need to be manipulated using an algorithm that only the user knows but has committed to memory.

You can then email yourself this document. And when you need to look up the password for some site, look up the email, enter the document password to decrypt it, get the info, and use your memorized transformational process to re-construct your password for that site.

This is better than nothing. Better than the alternative of using easy to remember (and crack), simple and the same passwords for all logins. Best to use a password manager, though.

Be safe…

Resources:

https://www.cnet.com/how-to/the-safe-way-to-write-down-your-passwords/

https://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices

I’m running out of Post-Its to write down my passwords

We all know to use non-dictionary, complex passwords for our email or online banking or online shopping accounts; whether we put that into practice is another issue. Even less in practice is, using a different password for each of our accounts; that is, never use the same password twice.

Why? The online gaming site that you logon to crush candy may not be as prudent in its security as the financial advisor site that is managing your 401K. The gaming site may store your password in cleartext in their database, or use a weak encryption algorithm. They may not be subject to regulations and policies that require them to have a regular vulnerability assessment. Using the same password for both sites will place either of your accounts vulnerable and at risk.

If a breach occurs and a site’s user data and passwords are unscrambled – as with 3.3 million users of a popular gaming site (article here) – then the hacker can try the discovered password on the user’s other accounts – email, bank, company site logon. And if the user uses the same password across the board, bingo.

You might think unlikely, improbable – how will the hacker know which website to try the discovered credentials? If the email harvested from the gaming site is myemailaddress@gmail.com, they could try the credentials to log into gmail. If the email is @mycompany.com, the hacker would look for a login portal into mycompany.com. The attacker could look for social media accounts registered with that email address. Or any other website that may have an account registered with that email address. The last estimate in 2017 is that there are over 300 million Amazon.com users. The attacker could try the discovered credentials on this popular site; if your favorite password is your birthdate – 12250000 – and you use it for all your logons, the attacker would be on an Amazon shopping spree as you read this blog.

This cross-site password use is not a security issue only through an online data breach; you may have misplaced your trust and shared your password, or entered your credentials on someone else’s computer that had a key logger or you accidentally saved your logon, or browsed the internet using an open wireless hotspot where someone was sniffing the traffic, or through any other instance that your password finds its way to the wrong eyes.

OK, so I need a different password for each different account that I have. I’m gonna need a bigger keyboard to stick all the Post-It notes with the passwords to every account I have underneath it. Or, maybe I could use a password manager.

A password manager is a database program that you can use to store information for each of your online accounts, website, username, password, security questions, etc. They are encrypted, requiring one master password to unlock its contents, all your saved passwords; “Ash nazg durbatulûk” – one ring to rule them all.

Remembering one long, strong, complex, impossible-to-brute-force-or-guess password, you can then gain access to all your other impossible to guess passwords. Almost all password managers also have a feature to generate random, complex passwords that you can use for each of your accounts.

There are many password managers out there, some commercial paid-for programs, some free open-source, with varying features. Some store your data in the cloud, some fill-in the login form automatically in the browser with your account credentials, some you can copy and paste the credentials from the program and the data in the clipboard is erased after a specified time period… You should choose a password manager that is both secure and usable.

Secure in that the encryption used to store the saved credentials and data is impossible to crack. Research what level of encryption your organization requires data to be stored with. When using the password manager, is the data self contained or is it exposed or available for use to other programs, and how. Does the password manager program run in secure memory space or written to a pagefile or swap memory that can be dumped by an attacker.

The password manager should be usable so that the user will be more likely to use it on a daily basis. If it slows down the user too much, it will be ignored and old habits die hard, the user will revert to poor password use behaviors.

An example real-world use of a password manager: Desktop and mobile versions of an open-source password manager can be installed on the Mac, Windows, Linux, Android and iOS operating systems with the one database file containing the credentials data saved in a cloud service. The user can access, view and edit the credentials from any of the devices with the installed program.

Password managers can be an an essential tool in securing your credentials. Do your research; research specifications, read reviews, compare functionality and usability. Also look up which managers have had bugs or vulnerabilities, how quick were the patches released, how was the vendor’s response to the flaws.

Using the same password for even only 2 websites should be a no-no. And forget trying to remember unique passwords to over 20 online accounts (recent research found the average US user has 130 online accounts). Plus, many sites force you to change passwords (rightfully so) on a regular basis. What is my current password to xyz.com that I last logged on 18 months ago?

Password managers can help you use a unique, strong password for each account. A data breach at one website (which seems to be reported on a weekly basis now) should not force you to change your password for any other websites. But protect that ONE master password. It is the one ring that rules them all.

Resources:
https://expandedramblings.com/index.php/amazon-statistics/
https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

The hotel wifi is encrypted, it’s all good…No?

One of the modern amenities we always look for when booking a hotel room is that it has wifi. However, there are considerations and issues.

When using the hotel wireless network, you are a part of a network with many hundreds of other hotel guests. Innocent and anonymous, family, corporate, hotel guests. And possibly hackers and generally anyone up to no good. They could potentially snoop and view your unencrypted browsing activity. They could scan your laptop and leverage an existing vulnerability.

Traveling from one hotel to another, it can be tedious to enter the hotel wifi passcode to your 10 wireless devices to get connected each time you book into a new hotel (your devices, your spouse’s, your kids’).

You may think the hotel wifi is encrypted because you had to enter a passcode to get connected, but that is not necessarily true. The wireless network may simply require you to login using your room number and last name in order to be authorized to get connected, but that does not necessarily mean the connection is encrypted.

You could use a VPN to encrypt all your internet activity, but you still have to set up all your devices to connect to the hotel wifi first. And you need to have a VPN subscription/setup.

So, how can we secure our wireless connectivity to the hotel wireless network a little bit more?

One of the easiest solutions is to use a travel router. They range in cost from $30 to several hundred. They could be as small as a matchbox or a pack of cards. They could have all the features of a home router, and more. They can be setup as a router, a bridge, a wireless repeater, an access point, a firewall; some even have a SIM card slot so that you can connect to a cellular network and have multiple devices share the internet connection. Others can be setup as a file server or even have a battery, so it can be a free-standing device with no cable attachments.

On a recent multi city trip, I brought along one of these – a RAVPower FileHub Plus, reviewed in this article. I’d set it up before traveling into bridge mode, with my own non-broadcasting SSID with WPA2 encryption. I connected my laptop, phone and tablet to it, and saved the wireless connection details on each device.

After checking into each hotel, I’d connect my laptop or tablet to the router device, and setup its WAN connection – if I connect the device to the hotel room Ethernet, then there’s no need for this step. Otherwise, I would setup the device to connect its WAN to the hotel wireless. Then immediately, all my other devices would have internet connectivity, through my own router, encrypted.

If the hotel wireless network requires a login first, like you have to enter your room number and name, you would do that once, from a browser on any of the devices, then all the other devices would immediately have internet access. Easy. Secured. (Well, as secure as WPA2 can be.)

Connecting to a hotel wireless connection has some considerations – it may not be encrypted and you are connecting to a network where your device is easily visible to all several hundred others. Take some simple precautionary steps to create an additional layer of security around your devices.

Be safe…