Governance , Risk Management

Experts Say Many Healthcare Organizations Face Similar Issues Marianne Kolbasuk McGee (HealthInfoSec) • October 5, 2016    

A long list of information security weaknesses, including inadequate access controls, that a federal watchdog agency found at the Food and Drug Administration are similar to those found at many healthcare organizations, some security experts say. But the FDA should be held to an even higher standard than the organizations that implement FDA-regulated drugs and devices, they argue.

See Also: Avoid 75% of all Data Breaches by Keeping Privileged Credentials Secure

"These are weaknesses that are common everywhere," says Kate Borten, founder of the privacy and security consulting firm The Marblehead Group. "I would hope the FDA knows better but has staffing issues."

The Government Accountability Office report issued on Sept. 29 says that although the FDA has taken steps to safeguard seven systems GAO reviewed, a significant number of security control weaknesses jeopardize the confidentiality, integrity and availability of the agency's information and systems.

"The agency did not fully or consistently implement access controls, which are intended to prevent, limit and detect unauthorized access to computing resources," according to the GAO report. The report says the FDA did not always:

Adequately protect the boundaries of its network; Consistently identify and authenticate system users; Limit users' access to only what was required to perform their duties; Encrypt sensitive data; Consistently audit and monitor system activity; Conduct physical security reviews of its facilities.

GAO also noted: "FDA conducted background investigations for personnel in sensitive positions, but weaknesses existed in other controls, such as those intended to manage the configurations of security features on and control changes to hardware and software; plan for contingencies, including systems disruptions and their recovery; and protect media such as tapes, disks and hard drives to ensure information on them was 'sanitized' and could not be retrieved after they are disposed of."

Federal Standards Missed?

GAO says the FDA control weaknesses existed, in part, "because FDA had not fully implemented an agencywide information security program, as required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002.

For example, GAO says the FDA did not ensure risk assessments for reviewed systems were comprehensive and addressed system threats; review or update security policies and procedures in a timely manner; complete system security plans for all reviewed systems or review them to ensure that the appropriate controls were selected; ensure that personnel with significant security responsibilities received training; always test security controls effectively and at least annually; and always ensure that identified security weaknesses were addressed in a timely manner.

"Until FDA rectifies these weaknesses, the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss," GAO writes.

Common Issues

Because the FDA is an important regulatory body within the Department of Health and Human Services, its security weaknesses are especially disturbing, some security experts say.

"These are fairly common weaknesses found during risk assessments and audits for a lot of different organizations, but for the FDA, which should be setting the example, and which has a fairly prescriptive requirement, namely FISMA, that they are supposed to be compliant with, this is a pretty damning appraisal of their performance," says Mac McMillan, CEO of security consultancy CynergisTek.

McMillan says three of the most troubling findings in the GAO report are "the technical vulnerabilities alluded to with the perimeter, access management and auditing and monitoring. What these three things combined say is that the FDA could be easy to breach, and then exploit, and might never even know it. That is about as serious as it gets."

GAO Recommendations

GAO reports that it's making 15 recommendations to the FDA to fully implement its agencywide information security program.

Some of those recommendations involve improvements to risk assessment; developing procedures for security controls, including identification and authentication; enhancing procedures for a number of security control families including access control and configuration management.

GAO also notes that in a separate report with limited distribution, it's recommending that FDA take 166 specific actions to resolve weaknesses in information security controls.

The report notes that FDA concurred with GAO's recommendations and has begun implementing several of them.

In a statement, the FDA notes it "takes very seriously the GAO report's recommendations, but the report's limited findings should not be broadly applied to the FDA's entire IT enterprise."

FDA also notes that it has not experienced any major data breaches that exposed industry or public health information.

"We recognize the risks associated with operating our large global IT enterprise and have implemented processes, procedures and tools to ensure the deterrence, prevention, detection and correction of incidents," the FDA statement notes. "In addition to addressing the majority of the recommendations identified in the GAO report, we have also undertaken several other key activities and initiatives to ensure our IT systems and sensitive information are appropriately protected by safeguarding against unauthorized disclosure, access or misuse.

Lessons in GAO Report

Borten, the security consultant, notes that the GAO reviewed "very standard information security controls that should be universally understood and applied." Together they constitute a security program, she says.

"They are all important; an adequate security program must have numerous controls," she says. "Whether mandated or not, it is distressing that today's government and businesses don't yet accept and apply them."

Covered entities and business associates should pay attention to the GAO's list of security shortcomings at the FDA, she stresses. "Hopefully, the takeaway isn't, 'since the FDA has these problems, we shouldn't be too concerned about our security program'," she says. "Instead, CEs and BAs should learn from this report what additional controls are essential and perhaps missing in their own programs."

Data Breach

Privacy Watchdog Cites Outdated Database, SQL Injection Attack Mathew J. Schwartz (euroinfosec) • October 5, 2016     Photo: Simon Richards (Creative Commons)

Britain's privacy watchdog agency has slammed TalkTalk with a record fine of £400,000 ($511,000) for information security failings that allowed a hacker to steal customer data "with ease."

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

The London-based TV, broadband, mobile and phone provider, formally known as TalkTalk Telecom Group, suffered a devastating breach last year that ran from Oct. 15 to 21. The incident could have been prevented had the company put some basic security measures in place, the U.K. Information Commissioner's Office determined (see 5 Lessons from the TalkTalk Hack).

The ICO imposed the fine after finding that TalkTalk, which trades on the London Stock Exchange, violated the U.K.'s Data Protection Act by failing to put proper security measures in place to safeguard user data.

The attacks against TalkTalk resulted in the exposure of personal data - name, address, date of birth, telephone number, email address and financial information - on almost 157,000 customers, plus bank accounts and sort codes for more than 15,000 customers, according to a partially redacted report published by the ICO.

"TalkTalk's failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk's systems with ease," Information Commissioner Elizabeth Denham says in a statement. "Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."

Database Unpatched

The ICO's report says that the TalkTalk breach involved infrastructure that was created by Italian telecommunications firm Tiscali - TalkTalk acquired its U.K. operations in 2009 - and in particular webpages that had access to a database called "Tiscali Master." The ICO says TalkTalk had failed to properly scan its infrastructure for potential threats and thus "was not aware that Tiscali's infrastructure included webpages that were still available via the internet in 2015" and which had access to the database and thus should have either been secured or removed.

In addition, TalkTalk was using an outdated version of the MySQL open source SQL database management system, which contained a known flaw that allowed the attacker to bypass access restrictions on the database. "The bug was first publicized in 2012 when a fix was made available by the software vendor," the ICO notes.

SQL Inject Attacks Could Have Been Prevented

After bypassing the access controls, the attacker then used the open source penetration testing tool sqlmap to scan the database for SQL injection flaws and exfiltrated data via a SQL injection attack, the ICO says. "User input was not validated," it adds, a step that could have blocked the SQL injection attack.

The ICO notes that TalkTalk failed to put proper defenses in place against SQL injection exploits despite having suffered a successful SQL injection attack on July 17, 2015, followed by another such attack less than two months later.

The maximum fine that the ICO can levy is £500,000 ($635,000). TalkTalk likely wasn't slammed with the maximum penalty because the privacy watchdog report found that the security failings were not a deliberate attempt "to ignore or bypass" the Data Protection Act, but rather amounted to "serious oversight."

In addition, the ICO report notes that the attack against TalkTalk cooperated fully with investigators; notified its customers and offered 12 months of free credit monitoring; and has since undertaken appropriate remedial action.

Reminder: Duty to Customers

But the ICO says the episode is a reminder that no organization should overlook cybersecurity concerns or skip basic information security practices.

"Today's record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue," the ICO's Denham says. "Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers."

If TalkTalk pays the fine by Nov. 1 without contesting it, then the ICO notes that the monetary penalty will be reduced by 20 percent to £320,000 ($405,000).

That's a far cry from the fine that could have been imposed on TalkTalk under the EU General Data Protection Regulation, which U.K. businesses will be required to comply with as of May 2018, at least until Britain negotiates its "Brexit" from the EU. Under the GDPR, information commissioners can fine firms that violate EU privacy law up to 4 percent of their global annual revenue or €20 million ($22.5 million) - whichever is greater.

TalkTalk in February reported that the breach had already cost it £50 million ($76 million) and led to the loss of 100,000 customers.

London's Metropolitan Police is continuing a criminal investigation into the attack against TalkTalk.

So far, six individuals - ages 15 to 20 - have been arrested in connection with the attacks or subsequent attempts to blackmail TalkTalk (see TalkTalk Hack: UK Police Bust Teenage Suspect).

Cybersecurity , Risk Management

But Brexit May Down Europol and Intelligence-Sharing Efforts Mathew J. Schwartz (euroinfosec) • October 5, 2016     Ciaran Martin, chief executive of the National Cyber Security Center (©GCHQ)

The U.K. government on Oct. 3 launched a new National Cyber Security Center to help British organizations better defend against cyberattacks and respond to security incidents.

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

The new center is part of GCHQ, Britain's signals intelligence and cybersecurity agency that's comparable to the U.S. National Security Agency. It's being led by Ciaran Martin, a career civil servant who previously helped GCHQ connect with private industry via his position as director general for government and industry cybersecurity.

"Our role is helping to make the U.K. the safest place to live and do business online. So we're going to tackle the major threats from hostile states and criminal gangs," Martin says in a statement. "But we're also going to work tirelessly to automatically protect people from those smaller scale and deeply damaging attacks that cause so much disruption and frustration. We'll also continue our work helping people and businesses understand better what they need to do to protect themselves."

NCSC brings together CESG - the information security arm of GCHQ - as well as the Center for Cyber Assessment, Britain's computer emergency response team CERT-UK and the cyber-related responsibilities of the country's Center for the Protection of National Infrastructure.

CESG is now part of the National Cyber Security Centre #UKNCSC please follow us @ncsc and have a look at the website https://t.co/3SuePp1mO7

In a speech delivered at a September cybersecurity summit in Washington, Martin noted that the National Cyber Security Center will include security experts drawn from the domestic security service - MI5 - as well as CERT-UK and GCHQ. "We'll have formalized and integrated operational partnerships with law enforcement, defense and private industry," he said.

Even so, "being part of the intelligence community poses challenges" for the new center, because it needs to focus not on intelligence gathering, but incident response, he noted. To help, he said in his speech that the center will be reviewing the effectiveness of U.S. Presidential Policy Directive 41. Released in July, PPD-41 specifies how U.S. federal agencies will respond "to any cyber incident, whether involving government or private sector entities," and also creates a framework for federal agencies to respond to "significant cyber incidents."

Based in London

NCSC will be headquartered at London's new Nova building.

Plans for NCSC were announced in November 2015 by George Osborne, then the Tory government's chancellor of the exchequer. He said the center would comprise the nation's first "cyber force" tasked with handling major cyber incidents. The center was to be based in Cheltenham, where GCHQ is headquartered, according to the original announcement.

But now the government plans to locate NCSC in central London at the Nova building, the newspaper Evening Standard reports, adding that at least half of the center's staff will be based there.

Police Intelligence-Sharing Uncertainty

As Britain stands up NCSC to help U.K. organizations better battle online attacks, however, critical intelligence-sharing and policing efforts for combating cybercrime may be falling down.

The reason is simple: Brexit. In a June referendum on Britain's EU membership, a majority of voters opted for their country to exit the European Union.

While the British government continues to attempt to sort out what that means and when related moves will take place, current intelligence-sharing efforts in place via the EU's law enforcement intelligence agency Europol and its Electronic Cybercrime Center, or EC3, are at risk.

Those risks cut both ways. Britain has played a vital role in establishing and running Europol and EC3, and their respective leaders are British civil servant Rob Wainwright and Police Scotland veteran Steven Wilson.

One near-term deadline is the end of 2016, which is when the U.K. government must opt in again to Europol, or risk its domestic law enforcement organizations losing access to Europol's resources - including European arrest warrants, which allow any EU member state to issue EU-wide arrests warrants beginning in June 2017.

The Scottish government has urged the U.K. government to sign membership protocols that would ensure that the U.K. remains a Europol member, at least pending the close of the Article 50 Brexit negotiations, which currently look like they'll wrap up in April 2019.

"The ability to share information quickly and coordinate operations with other law enforcement agencies through Europol is key to detecting, disrupting and detaining criminals across borders," Scotland's Justice Secretary Michael Matheson says in a statement. "That is necessary to keep Scotland and the rest of the U.K. safer from the threats of organized crime, cybercrime and terrorism."

UK Government Has No Europol Plan, Yet

But a representative for the U.K.'s Home Office, which oversees the country's security and law and order arrangements, told the BBC that the government hasn't yet decided what to do, but will decide "in due course."

The representative adds that the government plans to push for continued intelligence sharing post-Brexit. "The prime minister has stated that law enforcement cooperation will continue when the U.K. is outside the EU," the representative said. "We will do what is necessary to keep our people safe. We are exploring options for cooperation arrangements with Europol once the U.K. has left the EU, but it is too early to speculate at this stage what future arrangements may look like."

One significant wrinkle, however, is that Europol is an EU agency; full access is reserved for EU members. By exiting the EU, Britain forfeits the right to belong to Europol and potentially to use such EU judicial instruments as EU arrest warrants.

Borderless Crime Challenges

One rallying cry of Britain's "Leave" campaigners was to "take back control of our borders." Given the borderless nature of so much crime today, however, Brexit may make it more difficult, from a law enforcement perspective, for Britain to battle cybercrime (see Police After Brexit: Keep Calm and Carry On).

Already, some EU officials have suggested that they plan to make an example of Britain to the other 27 EU member states, demonstrating what's at risk if they too chose to leave. As a result, Britain may find itself with far less access to EU agency resources. Accordingly, it may need the new NCSC more than ever.

Markus Jakobsson, Chief Scientist at Agari, has released a new book focused on socially-engineered schemes. What are the key takeaways, and how can security leaders improve their abilities to fight back against the schemers?

The title of the new book is Understanding Social Engineering Based Schemes. And its mission is three-fold, Jakobsson says. He wants to profile today's most common schemes, forecast some future trends, and then to help organizations build effective countermeasures.

The first line of defense, he says, is for organizations to rid themselves of the mindset that their people won't fall for socially engineered schemes.

"People need to understand that [social engineering] can and might happen to them," Jakobsson says. "And they also need to recognize that spam filters alone won't detect and deter the scams. Spam filters are designed to, and do a somewhat reasonable job at defending against spam, but spam is totally different from these targeted attacks. They're not large volumes, they don't speak about Viagra, and they are very much looking like business-as-usual conversations."

In an interview about the contents of his new book, Jakobsson discusses:

The evolution of socially-engineered schemes; Why these scams are still so successful; Technology solutions that can help detect and deter the scammers.

Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist and entrepreneur, studying phishing, crimeware and mobile security at leading organizations. In his role at Agari, he leads the company's security research with a focus on using advanced data science to prevent email attacks.

Prior to Agari, Jakobsson spearheaded research in malware, authentication, fraud, user interfaces and security technologies for Qualcomm. He also co-founded three digital startups - ZapFraud, RavenWhite and FatSkunk - spanning email fraud prevention, user authentication, mobile malware detection and secure user messaging. In addition, Jakobsson has held key roles as Principal Scientist at PayPal, Xerox PARC and RSA Security.

Jakobsson is an esteemed thought leader in the security space. He has written several books, published more than 100 peer-reviewed conference and journal articles, and holds more than 100 patents. Jakobsson is a visiting research fellow of the Anti-Phishing Working Group (APWG).