Cybersecurity , Data Breach , Risk Management

Skyport CEO Art Gilliland on 'Re-Platforming' Your Security Skyport • April 8, 2016    

Organizations spend over 10 percent of their IT budgets on security, yet breaches continue to rise. Much of the problem revolves around the fact that most organizations have countless point tools, most of which don't work together to keep the organization secure and responsive.

See Also: How to Measure & Communicate Return on Cybersecurity Investments

Skyport Systems offers a new architecture called SkySecure that provides embedded, turnkey protection to all applications in the software stack. SkySecure brings perimeter security to the app level without slowing down performance.

Join Skyport CEO Art Gilliland as he illustrates the ways in which Skyport customers use SkySecure to protect command-and-control systems like Microsoft Active Directory, remediate legacy applications that are no longer in compliance and re-platforms branch offices with a consolidated secure system.

Gilliland also discusses:

Why current security architectures' "least common denominator" approach is flawed; Skyport's four-part "zero trust concept" for application security;

Encryption , Technology

Ciphers Can Be Same Length as Information Being Encrypted Eric Chabrow (GovInfoSecurity) • April 8, 2016    

New guidance from the National Institute of Standards and Technology could make it easier and less expensive for organizations to encrypt and decrypt some forms of data, including Social Security and credit card numbers.

See Also: CISO Discussion: Secure Code

Known as NIST Special Publication 800-38G, "Recommendation for Block Cipher Modes of Operation," the guidance specifies two techniques for format-preserving encryption, or FPE.

Terence Spies, one of the creators of the FPE standard, sees publication of SP 800-38G as validation of the encryption method that has been used by some businesses for years. "We spent a few years of work with researchers, basically making sure that what we had was mathematically, provably secure, because when you're in the business of securing data, new crypto algorithms are often suspect," says Spies, chief technologist at HPE Security-Voltage .

How It Works

FPE allows a cipher to be the same length as the information being encrypted. For example, the encrypted rendering of a Social Security number would be nine randomly selected digits. Similarly, credit-card numbers are typically 16 digits long; with FPE, the randomly selected encoded credit card number also would have 16 digits.

Previously approved NIST encryption guidance was designed for binary data, which requires lengthier strings of 1s and 0s used by computers. But lengthy encrypted numbers present a problem for some software packages that require Social Security or credit card numbers to mimic their actual lengths.

"An FPE-encrypted credit card number looks like a credit card number," says NIST Computer Scientist Morris Dworkin, who wrote the guidance. "This allows FPE to be retrofitted to the existing, installed base of devices."

FPE is a game-changer because it allows organizations to encrypt data using the same format, says Albert Biketi, HPE Security vice president and general manager. "If you don't have the same format, then you have to re-architect your application," Biketi says. "The thing that makes security a big challenge for a lot of CISOs is that they have a steep, complex environment and they've got a limited amount of money and a limited amount of bandwidth."

Potential Applications in Healthcare

For many years, the healthcare sector in the U.S. has been struggling with the subject of creating a national patient identifier, and the issue has come to the forefront again in recent months (see A Jump Start for a National Patient ID?).

Congress has long banned the Department of Health and Human Services from funding the development of a national patient ID, citing privacy concerns. But the issue is more important than ever, because a standard ID would help match patient records from various sources, especially as more data is exchanged among healthcare providers.

Security expert Dixie Baker, senior partner at the consulting firm Martin, Blanck and Associates, says the FPE standard "could allow the use of sensitive fields with a predictable format - for example SSN, phone number, ZIP code - for patient-matching purposes without revealing the values in those fields."

She also notes: "This standard could be useful to encrypt SSNs that persist in older health records and in current Medicare records. The software that accesses these SSNs is likely to be expecting input of the format XXX-XX-XXXX, and the encrypted data would retain this format."

Anonymizing PII

NIST's Dworkin says FPE also could play a role in anonymizing personally identifiable information for healthcare research databases.

"FPE can facilitate statistical research while maintaining individual privacy, but patient re-identification is sometimes possible through other means," Dworkin warns. "You might figure out who someone is if you look at their other characteristics, especially if the patient sample is small enough. So it's still important to be careful who you entrust the data with in the first place."

Baker says she agrees with Dworkin's assessment that patient re-identification "might still be possible using unencrypted fields, particularly given the power of today's knowledge-discovery techniques."

(Executive Editor Marianne Kolbasuk McGee also contributed to this story.)

Cybersecurity , Data Loss , Encryption

'Panama Papers' Expose Sector's Security Shortcomings Mathew J. Schwartz (euroinfosec) • April 7, 2016    

Ask hackers why they attack law firms, and their reply - to riff on bank robber Willie Sutton's famous quip - would no doubt be: "Because that's where the secrets are."

See Also: CISO Discussion: Secure Code

As demonstrated by the so-called "Panama Papers" leak of 11.5 million records from the Panama-based law firm Mossack Fonseca, there's no doubt that law firms are being targeted by attackers seeking to access, steal and potentially leak their clients' secrets.

Two lessons that all law firms - and other organizations - should learn from the massive leak are the need "to protect against insider threats - if they have not learned the lesson from Edward Snowden," as well as "to double-down on their due diligence in hiring employees," says attorney Sean Doherty, an information governance, compliance and e-discovery analyst for market researcher 451 Research. A third lesson, he says, is "the power of the press," noting that "their power to investigate is second only to nation-states."

But it's not clear how many law firms - or other organizations, for that matter - have been heeding advice to beef up their cyber defenses, despite law enforcement agencies and cybersecurity firms issuing repeated warnings about the risks of attacks by insiders, fraudsters, hacktivists, unscrupulous competitors and nation-states.

In 2011 alone, cybersecurity firm Mandiant estimates at least 80 U.S. law firms were hacked. In recent years, six firms - Fox Rothschild, Holland & Knight, Hunton & Williams, Simpson Thacher & Bartlett, Thompson Hine, and Wilson Sonsini Goodrich & Rosati - have been caught up in insider trading schemes that involved employees attempting to steal and profit from clients' information, Bloomberg reports.

On March 3, meanwhile, the FBI's Cyber Division issued a Private Industry Notification, warning law firms that "in a recent cyber criminal forum post, a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms," Bloomberg reports. The FBI has not named the forum where the post appeared.

Panamanian law firm Mossack Fonseca, meanwhile, has not responded to repeated requests for comment about the circumstances surrounding its data leak, which reportedly began in late 2014. But founding partner Ramon Fonseca told Reuters that he blames the leak on an external hack attack, while also denying reports that his firm destroyed documents or facilitated money laundering or tax evasion (see If You Hide It, They Will Hack).

Wake-Up Call

Law firms are a prime hacker target because they handle secret details of intellectual property, mergers and acquisitions, and other potentially valuable information. "Every large company sends all of its IP, next product plans, M&A information - on which you could trade or buy stock and make millions of dollars - to the largest law firms in the U.S. and the world," says attorney Chris Pierson, who serves as the general counsel and CISO for invoicing and payments provider Viewpost. "So, why hack Lockheed to find out the next patent for a missile system? Just hack their law firm. Why lose money in the stock market when you know you can hack the M&A group at the big [law] firm to find out ahead of time who is buying whom, and make lots of money?"

Brian Honan, a Dublin-based cybersecurity consultant, says the same goes for accountancy firms. "They hold lots of similarly sensitive information about their clients," he notes via Twitter.

Encrypt Data, Virtual Workspaces

In the wake of the Panama Papers leak, Zak Maples, a senior security consultant at MWR InfoSecurity, says all law firm CEOs need to immediately determine if the organization can identify where all information gets stored and who can access it; whether it has sufficient preventive controls to safeguard the data; and whether data access and exfiltration defenses are in place. CEOs, Maples, says, also must ask: "If we do have these controls and capabilities, have we actually tested them to ensure they are working?"

Doherty of 451 Research says law firms, being "custodians of client data," must make sure they're encrypting all data, both when stored and in transit, and carefully control, via granular file-access controls, "who can open, view, edit, copy, even transmit them via email. All file access should be logged, analyzed and reported for unauthorized use or unusual activity or anomalies." Of course, that advice applies to any organization that handles or stores sensitive data.

Doherty is also a proponent of using dedicated and secure virtual workspaces for handling confidential information. All discussion of legal matters "should be contained in secure online rooms, such as deal rooms, SharePoint sites, or other containers," he says. "Information in containers should remain contained and delivered to users on a need-to-know, time-limited basis. When the matter is complete, the container should be archived with limited access."

Digitizing Records Is Risky

Nearly four decades of records from Mossack Fonseca have been leaked, demonstrating that, at some point, the firm apparently began digitizing old records. "Firms working with clients in international finance, by necessity, were using digital records long before many traditional law practices," Doherty says. "By nature, many of their transactions are digital with electronic trails."

But Doherty says that any old records should be locked down. In particular, all related records, information and communications "should have been taken offline, at least placed in near-line storage, without general access," he says. "If the firm digitized closed matters, it opened a security hole for hackers and increased the threat of an insider attack."

The safest course of action will always be retain as little information as possible, says Honan, who also advises the EU law enforcement intelligence agency Europol. "If you are not obliged to keep certain information - due to laws, regulations or contracts - then the safest way to secure it is to destroy it in a secure manner."

Monitor for Unauthorized Access

Doherty says the Panama Papers breach isn't just a cautionary tale about the need to secure stored data or block exfiltration. "The root cause and risk was, and perhaps is, unauthorized access," he says.

Despite Ramon Fonseca's claims, many security experts suspect that an insider was involved in the attacks. That's a reminder, Doherty says, of the need for all organizations to beware of insider threats. For law firms in particular, he recommends they "conduct due diligence on new hires, as well as re-screen them on a regular basis.

Of course, data leaks can be achieved by using spear-phishing attacks or malware, which can give attackers access to corporate systems, allowing them to work like a virtual insider. "I think [that] automated threat is here today and may already be inside firms' firewalls," Doherty says.

MedStar Health's 10 hospitals, and several other North American hospitals, have fallen prey to malware attacks in recent weeks. The attacks, many involving ransomware, highlight why it's so important for healthcare organizations to take critical steps to avoid becoming the next victim, says technology expert Craig Musgrave of The Doctors Company, a provider of cyber insurance and medical liability coverage.

"The No. 1 issue is social engineering; it's the employee negligence," Musgrave says in an interview with Information Security Media Group. All healthcare organizations "should be providing training for all employees .... [because] over 80 percent of the attacks are made possible by human error where they'll click on a link or open an email attachment. If we can train the staff to avoid downloading [suspicious files] or bringing USB devices into the systems, then that's going to cut out a lot of the [ransomware] events that are happening."

But if an employee does make the mistake of clicking on an attachment that launches malware, healthcare organizations must take swift steps to mitigate the impact, he says.

"From the technical standpoint, the IT department needs to be making sure they have the appropriate controls in place around firewalls, application whitelisting and ... intrusion detection," he says.

"You need to be able to detect that something is going on very quickly so that you can stop it from spreading across the organization," Musgrave explains. "Once you're at that point where you can isolate [an infected] computer and take it off the network, then it gets down to how good are your backups, and can you restore systems as quick as possible."

Some hospitals have been able to recover from ransomware attacks without paying extortionists because they had well-prepared backups that enabled them to restore systems and data reasonably swiftly, he says. But other hospitals have had a more difficult struggle because the ransomware spread to main computer systems within the organization, making it more challenging to mitigate the attack, he says.

Hospital Attacks

In February, Hollywood Presbyterian Medical Center in California confirmed that it paid extortionists a $17,000 bitcoin ransom to unlock its data, which was maliciously encrypted by extortionists using ransomware.

But some other hospitals battling recent ransomware attacks, including Chino Valley Medical Center and Desert Valley Hospital in California, have confirmed that that they were able to recover from the attacks without paying ransoms (see Continuing Hospital Ransomware Attacks: A Call to Action).

In the interview (see audio link below photo), Musgrave also discusses:

Cyber insurance issues involving ransomware attacks, including whether policies generally cover ransom payments to extortionists; Medical liability and patient safety issues concerning ransomware attacks; Factors driving the recent surge in ransomware and other cyber attacks hitting hospitals and other healthcare organizations.

Musgrave is senior vice president of technology for The Doctors Company. Previously, he was chief technology officer at Monitor Liability, a subsidiary of W.R. Berkley. For more than 20 years, Musgrave has primarily focused on technology within the property and casualty insurance industry.