• Podcast: Dave Shackleford on NIST Changes, WannaCry and Trump's Cyber Order

    by Chris Gonsalves | May 22, 2017

    Monday, May 22, 2017 By Chris Gonsalves, IANS Director of Technology Research

    After a busy week in infosec, we needed help sorting the wheat from the chaff. Enter IANS' most prolific and acerbic faculty member, Dave Shackleford, to deliver the smackdown of truth on proposed updates to the ubiquitous NIST Framework, the present and future states of ransomware in the age of WannaCry, and the real value of President Trump's new cybersecurity executive order.

  • Dave Kennedy on WannaCry and the Future of Ransomware Attacks

    by Daniel Maloof | May 22, 2017

    Monday, May 22, 2017 By Dave Kennedy, IANS Faculty

    The WannaCry ransomware attack garnered global attention, but what should organizations be doing today to defend themselves against these types of attacks in the future? What’s the likelihood of a copycat attack in the near future? Was this simply a test for future, larger attacks?

    IANS Faculty Dave Kennedy, president and CEO of TrustedSec and frequent guest on major news networks such as CNN and Fox, recently stopped by the studio for an impromptu presentation and Q&A session with IANS clients to review the latest details surrounding the WannaCry attack. Dave also offers some tips for thwarting future attacks, from disabling SMB-1 to implementing application whitelisting.
  • NIST Framework Beefs Up Supply-Chain, Access Controls as Makeover Nears Release

    by Chris Gonsalves | May 17, 2017

    Wednesday, May 17, 2017 By Chris Gonsalves, IANS Director of Technology Research

    After several rounds of public comment, the long-awaited update to The National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity is nearing completion with proposed changes to most sections of the popular document that address supply-chain risk, access controls, information sharing, infosec metrics, and more.

    “We wrote this update to refine and enhance the original document and to make it easier to use,” said Matt Barrett, NIST’s program manager for the Cybersecurity Framework. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”

    >> Hear IANS Faculty Dave Shackleford discuss proposed NIST changes in our IANS Information Security Podcast

    NIST’s Framework for Improving Critical Infrastructure Cybersecurity (CSF for short) was released in February 2014 as part of the U.S. Cyber Security Enhancement Act of 2014. The three sections of the framework – the Core, the Profile and the Implementation Tiers – provide guidance for government agencies and private industry on best practices to mitigate information technology risk and strengthen security posture.

    Significant Changes

    Key changes to the CSF in the latest draft, along with the IANS take from Dave Shackleford, IANS Faculty and principal at Voodoo Security, include:

    • Added provisions for supply-chain risk management. This entirely new category within the Framework’s “Identify” function calls for “priorities, constraints, risk tolerances, and assumptions … to identify, assess and manage supply chain risks.” The category includes five new subcategories in the Core section to specifically address identification and management of supply-chain risk management processes and thorough vetting of suppliers and partners of critical information systems and services. The new section also covers contractual security obligations, performance audits, and joint BCDR testing.

      Shackleford: “The supply chain is a nightmare. We’re bad at assessing our vendors (software, service providers, hardware, cloud providers, you name it). We need better standards and methods to approach reasonable controls questionnaires and assessment without going totally overboard. The new SCRM tier definitions are totally reasonable. This is one of the best additions in the new draft.” 

    • Expanded consideration of access controls. This category in the “Protect” function has been renamed from “Access Control” to “Identity Management, Authentication and Access Control.” The section clarifies and expands the definitions of “authentication” and “authorization,” and a new subcategory calls for identities that are “proofed and bound to credentials, and asserted in interactions when appropriate.”

      Shackleford: “NIST could have done even more in this section. There is a huge, renewed focus on identity management and they really only scratched the surface by fleshing out the terms and concepts. This is a good start, but they don’t address identity providers, the nature of identity as a true isolation and policy boundary, etc. The best part is PR.AC-6 where they associate identities and credentials and align with ‘interactions,' but this will need more detail over time.” 

    • Prescriptive advice for demonstrating security value and effectiveness. A new CSF section deals with measuring cybersecurity in ways that can be used to demonstrate an organization’s cybersecurity posture to stakeholders through metrics and measures. NIST encourages correlating cybersecurity efforts to business outcomes for meaningful insight into how changes in granular security controls impact the completion of business objectives. “In the update we introduce the notion of cybersecurity measurement to get the conversation started,” NIST’s Barrett said. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”

      Shackleford: “This is a very nebulous topic, and always has been. However, everyone is more engaged than they were when the Framework originated and executive teams want more insight into what’s happening. Similarly, operations teams need better metrics and this has been a traditionally weak area overall. The big question is: What are the right metrics? NIST can’t really determine that, of course. Nor do I think they’ll try.”

    • Updated guidelines for information sharing. The updated draft also adds new language to existing subcategories in the “Identify” and “Respond” functions to further encourage the incorporation of information sharing into cyber risk management. NIST also encourages organizations to adopt privacy-aware policies when sharing information with external partners.

      Shackleford: “It needs to be firmed up some, but the idea is right: we need more sharing. Whether that is through threat intelligence or other means, the government is right to be encouraging research and projects that can facilitate this.”

    “Overall they’re moving in the right direction and they seem to be listening to the community,” IANS’ Shackleford said of the latest draft. “NIST is doing a great job balancing overall requests for changes with the obvious realization that many organizations are using this framework currently, and some are aligned with required compliance and regulatory controls, meaning they can’t just overhaul it all at once.

    “However, they really need to add elements related to new technologies,” Shackleford said. The CSF doesn’t really even begin to address cloud, converged and software-defined environments, and how identity is changing to a core service model and isolation/segmentation method.

    “At the very least, they should provide some basic recommendations for those moving in this direction,” Shackleford added. “Even core fundamentals are hard to quantify for the cloud today, and NIST could help move this effort along.” 

    Long Time Coming

    The proposed changes to the NIST CSF are the product of a deliberate, if lengthy, process.

    In an industry known for rapid shifts and frequent disruption, NIST officials first issued a 60-day request-for-comments period on the original CSF in December 2015. Fifteen months hence, the current draft version 1.1 was created from answers and commentary received from 105 organizations on 25 questions in four categories including: use of the framework; possible updates; information sharing; and, public-sector involvement in future framework governance.

    “We received comments from a diverse group that included local, state, national and international governments, a cross section of the critical-infrastructure community, and a number of other types of organizations,” said Barrett. “The responses actually represent thousands of organizations because a large number of industry organizations submitted comments on behalf of all of their member companies.

    “These comments provide strong input for the framework’s future and revealed that the number of organizations using the framework is growing,” he added.  

    In addition to the 60-day comment period, NIST, an agency within the U.S. Commerce Dept., also held a workshop last spring at its Gaithersburg, Md. headquarters to further discuss the feedback and field additional suggestions for improving the framework, officials said. The final comment period on the new v1.1 draft CSF ended in April. A second workshop will be held on the draft version in Gaithersburg later this month. No firm date has been set for release of a final update to the Framework, but officials speculated it could go live this fall.

    According to Richard Cavanagh, acting associate director for laboratory programs at NIST, the organization remains committed to maintaining an inclusive approach, “informed by the views of a wide array of individuals, organizations, and sectors.

    “This [feedback] is needed to carry out NIST's statutory responsibilities with the ultimate goal of assisting organizations as they seek to improve their cybersecurity risk-management practices,” Cavanagh said.

    Public Sector Roots

    The framework has proven popular among federal agencies, according to research by Dell Technologies. The Round Rock, Texas OEM’s poll of federal IT professionals last year found that 82 percent of government organizations are currently using the framework to improve security.

    Additionally, 74 percent of framework users say the NIST document is serving as a foundation for their own cybersecurity roadmap, the Dell survey found. Sixty-eight percent say they look to the framework to improve organizational security and 39 percent use the framework to create a uniform approach to discussing security throughout their agency.

    "As security threats continue to increase in sophistication and frequency, holistic, end-to-end security is crucial,” said Paul Christman, vice president of the federal solutions unit at Dell. “The NIST Cybersecurity Framework empowers agencies to identify, detect, protect, respond and recover from cyber threats, and it can serve as an excellent resource for government.

    “Regardless of mission, industry, data type, or threat factor, organizations can use the NIST framework to strengthen their security posture, develop and enhance cybersecurity roadmaps, improve organizational security and create a uniform security language,” Christman added.

  • WannaCry Ransomware Unleashes Hell on Unpatched Systems Worldwide

    by Chris Gonsalves | May 12, 2017

    Friday, May 12, 2017 By Chris Gonsalves, IANS Director of Technology Research

    A fast-moving and virulent form of ransomware savaged unpatched Windows systems in more than 70 countries Friday, slamming hospitals, telcos, transportation companies and others in a seemingly indiscriminate campaign of IT disruption.

    By Friday afternoon, security researchers estimated the number of infected machines globally at nearly 75,000. By Friday afternoon, a security researcher who goes by the handle MalwareTech activated a previously unregistered domain included in the malicious code, effectively quashing the spread of the malicious code. Some experts speculated the check against the unregistered domain was a kind of "kill switch" built into WannaCry by its authors. MalwareTech, however, guessed that it was more likely a clumsy attempt to keep the code from being sandboxed for forensic analysis.

    The actions that MalwareTech took to halt the spread of WannaCry "probably actually saved lives on accident," IANS faculty David Kennedy told CNN on Saturday. Kennedy cautioned, however, that the worm could easily be reworked and repurposed to start hammering vulnerable systems anew. 

    "We're already seeing chatter on the Dark Web about incorporating this technique," Kennedy said. "We going to see a lot more of these start to happen next week."

    The WannaCry ransomware took advantage of an exploit developed by the U.S. National Security Agency (NSA). That exploit, dubbed ETERNALBLUE, was leaked to the public last month via WikiLeaks, which received the purloined exploit in a trove of data lifted from the NSA by a group calling itself ShadowBrokers.

    ETERNALBLUE leverages a flaw in Microsoft's file- and device-sharing Server Message Block (SMB) protocol. The remote exploit affected most systems running Windows XP and later. Microsoft patched the vulnerability in March, though clearly many administrators worldwide had yet to take advantage of the fix or follow Microsoft’s advice to disable the outdated version SMB1.

    Unlike a traditional virus or Trojan, a worm like WannaCry can move laterally through an organization without human interaction after gaining only a single foothold in a vulnerable machine. The result is often rapid and wide-spread damage that doesn’t discriminate by organization type or size. WannaCry is programmed to speak 28 languages from Bulgarian to Vietnamese, researchers said.

    wannacry_05-1024x774According to analysis of the attack by researchers at Kaspersky Lab, the WannaCry malware “encrypts files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.”

    The most visible of the WannaCry victims was the U.K.’s National Health Service, which was forced to divert patients, cancel procedures and activate crisis-management protocols at about 39 medical facilities and dozens of doctors’ offices across Great Britain.

    “We are experiencing a major IT disruption and there are delays at all of our hospitals, a spokesman for the NHS subsidiary Barts Health said in a statement. “We have activated our major incident plan to make sure we can maintain the safety and welfare of patients. We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighboring hospitals.”

    Analysts said the bulk of the WannaCry attacks were focused on Russia where he nation’s Interior Ministry and the Russian telco, Megafon, were particularly hard hit. Other nations in the WannaCry crosshairs included Ukraine, India and Taiwan. Other notable victims included Spanish telecom giant Telefonica, which suffered significant network and phone-service disruptions, and the global operations of U.S. based shipping company Fed-Ex.

    "Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware," a Fed-Ex spokesman said in a statement. "We are implementing remediation steps as quickly as possible."

    Experts reiterated calls for organizations to diligently patch vulnerable systems. Windows users and systems administrators are urged to make sure the MS10-017 patch is installed and that SMB1 is disabled as an additional precaution. The patch is included in WSUS and Windows Update from March 2017 forward.

    Editors note: This story was updated on May 13 to include details of MalwareTech's sandboxing efforts and comments from IANS faculty David Kennedy.

  • Podcast: Battling Call Center and Phone Fraud with Pindrop's David Dewey

    by Chris Gonsalves | May 12, 2017

    Friday, May 12, 2017 By Chris Gonsalves, IANS Director of Technology Research

    Special guest David Dewey, head of security research and labs at Pindrop Security, drops by to talk about Pindrop's latest comprehensive report on the frightening state of call-center fraud. We discuss how phone fraudsters, aided by VOIP and other call-manipulation technologies, are costing large enterprises millions in account takeovers, fraudulent purchases and returns, bogus money transfers and the occasional mayhem just for the lulz.

  • Trump Orders Massive Review of Fed Infosec Readiness

    by Chris Gonsalves | May 12, 2017

    Friday, May 12, 2017 By Chris Gonsalves, IANS Director of Technology Research

    President Donald Trump this week signed a sweeping executive order aimed at improving information security mainly in the public sector. The order includes consideration of a massive consolidation of federal IT systems and an increased use of shared and cloud-based IT services, but earlier calls for better public-private sector cooperation on threat sharing were scrapped in the final version.

    The directive also calls for finding creative ways to address the nation’s growing infosec skills gap through education, internship programs and an examination of how foreign allies are meeting their security staffing challenges.

    Screen Shot 2017-05-12 at 9.23.39 AMThe Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure portends the creation of a flurry of assessments, audits and gap-analysis reports in the coming months, particularly among the 190 federal agencies directly covered by the executive order. How much actual progress results from all of that introspection and the dozen detailed reports required by the order remains to be seen, most experts agree.

    “Overall, this is a positive step, but the actions taken after the 60-day reviews occur will really tell us what direction the administration plans to take,” IANS Faculty Dave Shackleford said. “We should all be paying very close attention to this in the weeks and months to come.”

    Section One of the executive order deals with federal agencies and their infamously lax security. Federal agency heads will now be “held accountable by the president for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data,” the order says.

    Federal units will now be required to employ the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to assess security posture and manage risk. The federal government issued the NIST CSF in 2014 and it has been widely adopted by the private sector, though public-sector agencies have been slow to heed their own advice. The NIST CSF is currently undergoing a significant revision; the new version, with added controls related to supply chain risk management and a more detailed assessment of identity and access controls, is due in the next few weeks.

    The language of the order vacillates from stiffly formal to boldly breezy, at one point reading: “The executive branch has for too long accepted antiquated and difficult–to-defend IT.” The federal government began experimenting in earnest with business computing in the early 1960s, putting only the last nine administrations on the hook for the fed’s less-than-stellar cyber posture.

    The crux of the finger-pointing finding, however, wasn’t lost on White House Homeland Security Advisor Tom Bossert, who briefed reporters at the White House as the order was unveiled. "A lot of progress was made in the last administration, but not nearly enough,” Bossert said.

    "We spend a lot of time and inordinate money trying to protect antiquated systems," Bossert said, referring to the 2015 breach at the federal Office of Personnel Management in which personnel records affecting more than 20 million government employees were pilfered. "We've got to move to the cloud to try to protect ourselves instead of fracturing our security posture."

    The cloud issue is a small but significant part of President Trump’s executive order. Officials have been ordered to assess the “legal, policy, and budgetary considerations relevant to … transitioning all agencies to one or more consolidated network architectures, and shared IT services, including email, cloud, and cybersecurity services.”

    "If we don't move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts," Bossert said in support of the effort. Those agencies currently spend close to $90 billion for IT, according to government figures.

    “President Trump’s calling for a universal review of capabilities and gaps in U.S. cybersecurity, with involvement from many groups like the NSA, CIA, DOD and Homeland Security, shows the sense of urgency involved, and hopefully some direct action will result,” added IANS’ Shackleford, principal and founder of Voodoo Security. “The order also acknowledges that the current state of affairs is not great [and] the government agencies tasked with cybersecurity are not well organized to collectively respond to attacks.”

    The bulk of the order deals with federal agencies under the direction of the executive branch specifically. For the private sector, there are scant specific implications.

    “It is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft,” Trump’s order reads.

    That said, more specific language on -sector cooperation and incentives that appeared in an early draft of the Trump order was removed in the final version. The term “private sector” appears five times in early versions of the order circulated in February; the drafts also included calls to incentivize “private sector owners and operators of the Nation’s critical infrastructure to maximize protective measures; invest in cyber enterprise risk management tools and services; and adopt best practices with respect to processes and technologies necessary for the increased sharing of and response to real-time cyber threat information.”

    All of that was nixed in the final version of the Trump directive. The lone surviving mention of the private sector comes in the call to enlist businesses’ help to bolster America’s information security workforce.

    President Trump’s order sets a goal of improving tech and information security education, calling on the Secretaries of Defense and Homeland Security to assess the nation’s current “efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education.”

    To Shackleford's point, the real proof of the order's effectiveness will be revealed in the wake of the many reports it generates. It may be a while before the public gets to judge the efficacy of those efforts, however. As the order points out in numerous places, the aforementioned reports "may be classified in full or in part, as appropriate."

  • Van Wyk: Targeted Attacks Require Much Deeper Analysis

    by Daniel Maloof | May 10, 2017

    Tuesday, May 9, 2017 By Ken Van Wyk, IANS Faculty

    Ken van Wyk

    In the world of information security, intentions matter greatly, but they’re only a starting point. After all, most viruses, worms and other malware have at least some degree of malicious intent.

    Beyond simple intentions, though, is the matter of whether or not an attack is targeted. In fact, when we can establish whether an attack is targeted, we often come to a vital decision point in the incident response operation. A targeted attack can change everything.

    When I talk about attacks that aren’t targeted, I mean those that hit you without any regard for who you are. Think of a propagating virus or worm that simply spreads opportunistically. When it finds a file share, network connection, etc., it attempts to copy itself onto other victim systems.

    As a general rule, these are the easier attacks to deal with. For one thing, non-targeted attack tools and techniques are usually the ones for which we have the means to readily detect and stop them. The reason for this is pretty simple: non-targeted attacks and tools can quickly spread far and wide. The more sites they hit, the more market share they have, and therefore the more likely we are to already have countermeasures in place.

    Yes, in general, non-targeted attacks and attack tools are our “low hanging fruit.” It’s the targeted attacks and tools that should concern us the most.

    Dealing With Targeted Attacks

    For one thing, targeted attacks are likely to be one-off and purpose-built, which means they’re least likely to be detected using our traditional endpoint protection tools and techniques.

    Complicating things further, when hit by a targeted attack, we (or, at least I feel this way) really want to know what the underlying purpose of the attack is or was. In the case of malware, for example, I’m not willing to accept a remediation that simply removes the offending code and gets on with business. I want to know what specifically the malware was intended to do. After all, if we fail to understand that, we’re not providing our employers with much value.

    No, with targeted malware, I’m not willing to rest without knowing explicitly what the code’s payload is. What functionality is present? Does it seek to find files and copy them? Does it destroy data? Does it encrypt data, possibly for the purpose of extortion?

    Further, when deeply analyzing an attack and/or tool, we’re quite likely to learn a substantial amount about our adversary. Even if, for whatever reason, the information turns out to not be useful in catching or prosecuting our adversary, it may very well help us understand why we’re under attack in the first place. It could help us understand if our attacker is an outsider or an insider, for instance.

    These things are not just important to understand, they’re vital to us when responding to a security incident.

    Once we know an attack is specifically targeting us, it’s a game changer. It means we have a duty to analyze things more deeply. It may also drive us to notify law enforcement or take other such actions. That decision also carries its own burden, such as maintaining a chain of custody on all the information we collect and documenting in pedantic detail the steps we take.

    At the end of the day, when we analyze a security incident - whether it's being carried out through email-borne malware or via some network compromise technique - we need to at least attempt to ascertain whether we’re being uniquely targeted. If we’re just one of many in a crowd, then a simple “take two Aspirin and call me in the morning” approach may be adequate. But if we’re being specifically targeted, it’s time to roll up our sleeves and dive into the details.



    Ken Van Wyk is president and principal consultant at KRvW Associates and an internationally recognized information security expert, author and speaker. He’s been an infosec practitioner in commercial, academic, and military organizations and was one of the founders of the Computer Emergency Response Team (CERT) at Carnegie Mellon University.

  • Podcast: Kevin Beaver on the Verizon DBIR and Our Perennial Security Shortcomings

    by Chris Gonsalves | May 05, 2017

    Friday, May 5, 2017 By Chris Gonsalves, IANS Director of Technology Research

    kevin-beaverIf it's springtime in New England, it must be time for faculty member Kevin Beaver to join us on the podcast to examine the Verizon Data Breach Investigations Report, better known as the DBIR. This week we dive into the 10th annual report and talk about what the findings say about our seeming inability to eradicate even basic security shortcomings like lousy passwords, porous web apps and our insatiable penchant for clicking on stuff. Any stuff.

    Kevin and I also spend a few minutes talking about the Trump administration's efforts to improve security in federal government agencies and departments. And Kevin tells us why his passion for racing souped-up Mazda Miatas maybe isn't so crazy after all.

  • Poulin: Don't Fear the Reaper - Medical Device Attacks Mainly Target Data

    by Daniel Maloof | May 01, 2017

    Monday, May 1, 2017 By Chris Poulin, IANS Faculty

    IANS Faculty Chris Poulin

    It’s easy to get distracted by the latest research in the information security space: the newest financial malware, IoT botnet or this idea that electronic medical records (EMR) are the new credit cards, for instance. But we need to remember that all these headlines and so-called trends are related, and you can track them back to threat actors, motives, and current tools, techniques and procedures.

    Case in point: A few years ago, implantable medical device hacking was all the rage. Barnaby Jack (may he rest in peace) demonstrated how a pacemaker can be pwned and turned up to disco, literally shocking the life out of the patient. Meanwhile, in 2011 security researcher Jay Radcliffe hacked his own insulin pump, positing that an attacker could deliver multiple insulin boluses one after another with the intent to harm or kill a person.

    Both works of research were delivered in a manner that appeals to our amygdala, eliciting some primal panic that doesn’t take into account the reality of the situation: the attackers need to be near their victim, which then would increase their chances of being caught. So, unless you're an unpopular politician, you’re probably safe.

    Then, of course, there are medical devices used to treat patients in the hospital, such as infusion pumps (IV drips), ECGs, EKGs, MRIs, CATs, X-ray machines, blood gas and chemistry analyzers and nursing stations. All of these can be controlled via Bluetooth, connected to an IP network via Wi-Fi or hardwired. Researchers Billy Rios and Jeremy Richards, as well as many others, are hacking these devices and the results are stunning. In one case, a researcher found that a drug pump was listening on Telnet port 23, and when he connected to the device, it dropped him straight into a root shell - no password! 

    Many IoT device manufacturers, including those who build medical devices, assume that their corporate consumers will deploy them in a secure manner, presumably by isolating the devices on their own network segment. Even so, with a slip of the WPA2 password or misconfiguration of a wireless access point, an attacker can run wild in a forest of medical devices that have little to no protection.

    Researchers often buy medical devices on eBay after they’ve been outmoded or upgraded, and in many cases, the configurations haven't been properly wiped, leaving stored passwords as a bonus for the highest bidder. Researchers have also used Shodan to search for medical devices exposed to the Internet - and they found 68,000 of them as of 2015. 

    But what about motives? To some extent, a sophisticated attacker may break into a drug infusion pump to steal drugs. They already do this without technology, by going into a hospital ward and finding a patient with a fentanyl drip, then using a syringe to tap into the drip bag. Device manufacturers have had to put a lock on infusion pumps to stop that theft; so, what’s the cyber equivalent?

    Let’s return to EMR theft. Criminals are already using phishing to gain a foothold in hospitals and move laterally until they find systems from Epic, Cerner, and the like, and then exfiltrate the data. Criminals are efficient; they’ll take the path of least resistance. So, except in fringe cases of sociopathy, extreme revenge or targeted terrorism, attackers are more interested in using exposed and vulnerable medical devices to gain access to a provider network than to cause bodily harm.

    Calculating the True Risks

    So, the major takeaway here is that we shouldn’t get sidetracked by hype. Often, the motive is more simple than reporters or researchers - both of whom may be looking for fame or notoriety - would have you believe. Be proactive, not reactive. It’s easy to put your head in the sand by turning off Bluetooth or Wi-Fi, but these functions have clear benefits. Instead, determine the potential consequences using rational risk calculi and take appropriate measures. For example:

    • Don’t expose medical devices naked to the internet (obviously - or maybe not).

    • Segment medical devices from the billing and records system.

    • Monitor network activity, particularly as it relates to medical devices and EMR systems (and including events from hosts, if available). Use rules and analytics to detect suspicious activity.

    • Configure medical devices to limit features, if possible (e.g., if it’s based on embedded Linux, disable services to reduce the threat surface), change passwords and enable encryption.

    • Consider using deception: deploy real medical devices that are in a lab (e.g., not connected to patients!) and trigger if those dummy devices are accessed. 

    Having said all this, though, I’d be remiss if I didn’t fling some hyperbole myself as a parting gift. Elon Musk is currently working on technology to interface with the human brain - something called “neural lace.” Imagine thinking of an image and being able to send it to someone else. How about playing a game that’s controlled by your mind and stimulates your visual cortex and auditory centers?

    Of course, it’ll all be enabled by communications, which will make your brain accessible over the air. Forget EMR; what are your thoughts, memories, emotions and fears worth on the dark web?


    Chris Poulin is Director of IoT Security and Threat Intel for Booz-Allen Hamilton's Strategic Initiatives Group, where he is responsible for building countermeasures for threats to the Internet of Things. He has a particular focus on connected vehicles, as well as researching and analyzing security trends in cybercrime, cyber warfare, corporate espionage, hacktivism, and emerging threats.

  • Beaver: Verizon DBIR Shows Why We're Still Struggling With Security

    by Daniel Maloof | Apr 28, 2017

    Friday, April 28, 2017 By Kevin Beaver, IANS Faculty


    You know the saying – the more things change, the more they stay the same. Well, in support of that theory, it's that time of year once again for the Verizon Data Breach Investigations Report (DBIR). If you need a stark reminder of just how bad security is out there – and perhaps some ammunition to support your information security program – you need to check out the 2017 report. It's chock-full of the same things the authors have been reporting over the past decade. In essence: criminal hackers have the upper hand.

    Reading through the findings, there are several things that jumped out at me. These are what I believe to be some of the most important ones:

    • Eighty-eight percent of breaches fall into the nine patterns that Verizon first identified in its study three years ago. I’m not sure if this suggests we’ve yet to master these areas or that the criminals just know where they can find success.

    • Ninety-five percent of phishing attacks that led to a breach were followed by software installation. Once the bad guys get in, they want to stick around for as long as they can. Why not install malware and reside there indefinitely?

    • One section in the executive summary document has some headings that I couldn't agree with more. For instance:

      • “No one thinks it's going to be them. Until it is.” Yup! Organizations think they’ve got the basics covered. They clearly don't – otherwise I wouldn’t see what I see in my work and we wouldn’t be hearing the same things from Verizon and other studies year after year. I often see arrogance in executive management and even among IT staff leading them to believe that they’re immune.

      • Another was “People are also still failing to set strong passwords.” Really!? It’s 2017, for crying out loud!

    • One thing Verizon mentions is that if you haven't suffered a data breach, you’ve either been incredibly well prepared or very, very lucky. It's more than just being well prepared and lucky, I think that a lack of information and not knowing what to look for is the case in way more situations than we care to acknowledge.

    • The majority of attacks (75 percent) are perpetuated by outsiders. No surprises there. Still, a hefty percentage involved insiders. You know, those who are trusted to do most anything at any time with no true oversight. Only two percent involved business partners. Still, given all of the trust in those relationships, not to mention the contracts that lawyers love to rely on for security, you would think that that number would be closer to zero.

    • Just over one-fourth of breaches were discovered by third parties. You don’t want to be on the receiving end of those types of phone calls.

    • Two-thirds of malware was installed via malicious email attachments. Really? If this is not a failure in our messaging and endpoint protection systems, I don't know what it is. Why can't these attacks be stopped? I think they can if you use the proper cloud, server, and endpoint protection. Most people don't. Furthermore, this malware exploits – in many cases – known vulnerabilities in software that simply haven’t been patched in months or years. There’s really no excuse.

    • Eighty-one percent of hacking-related breaches leveraged weak and/or stolen passwords. I can understand stolen passwords to an extent, given the complexity of malware and the lack of protection, but there’s absolutely no reason for weak passwords. I'm not surprised, though, given how much pushback I see executive management give many IT and security teams if they tighten down enterprise password policies. So, it’s a policy born in ignorance or old-school thinking that we simply cannot seem to resolve.

    • Social attacks were used 43 percent of the time. Many people just don’t see the value or they mistakenly believe that their default vendor phishing templates are good enough. Most security assessments I’m involved in have zero phishing testing. A penetration test that does not include social engineering via email phishing or other means is not a complete penetration test. That’s indefensible.

    • Web-application attacks, one of my favorite areas to study and work in, were mostly comprised of stolen credentials and SQL injection. Stolen credentials start elsewhere, but the impact can still be minimized with user behavior analytics and multi-factor authentication. SQL injection exists not necessarily as a fault of developers and QA pros, but because of the fact that it was not tested for – and discovered – before the bad guys. Again, preventable and mostly inexcusable.

    As Verizon says, no system is completely secure, but too many organizations are just making it too darned easy. Furthermore, many of the incidents and breaches are entirely avoidable. But why? Knowing what we now know and having access to the resources and tools that are available, I’m having trouble wrapping my head around why we keep seeing the same challenges. Is it because IT departments are overwhelmed? Perhaps there's a lack of budget? Improper tools? Maybe this would be a good time to throw users or unsupportive executives under the bus? I think it's a lot of these things.

    There's a strong human psychology component to all of this, not unlike various things that afflict society, such as poor health habits and divisive politics. We seem to know what the problems are and, by and large, we know how to solve them. Still, we keep doing the same old things and, presumably, expecting something different. Ayn Rand nailed it by saying “The hardest thing to explain is the glaringly evident which everybody has decided not to see.”

    Kudos to Verizon for presenting this year’s DBIR data in such an easy-to-read and humorous way. The authors even provide solutions for fixing many of these challenges. If they’re giving away this advice for free, and we continue to see the same things moving forward, I shudder to think just how badly information security oversights and gaffes will impact businesses into the future.



    Kevin Beaver, CISSP is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia-based Principle Logic, LLC. Kevin has written/co-written 12 books on information security including the best-selling Hacking For Dummies (currently in its 5th edition).

Sign up for Updates

We’ll send you short and sweet notifications about our content and events.