As a Security consultant, I marvel at some of the excuses that business owners offer when I suggest they institute a Security Awareness training program for their staff that use computers. I hear some management use the excuse “Oh, my people know better than to fall for that!” Recent studies plus our own professional experience prove that to be false. 95% of all Ransomware events in the U.S. began because an employee opened an infected e-mail or instant message. A Wombat Security Technologies study recently revealed that nearly one third of employees don’t know what phishing is and the concept of Ransomware is an unknown concept to nearly two-thirds of workers.
Other managers offer the excuse “We just don’t have the budget for that!”. I recently sat with the IT Director of a multi-million dollar company that had 40 office employees and he couldn’t find budget room for $2 per month for each employee to be trained regularly on Security Awareness for their organization. That’s about $960 for the entire year to improve their security awareness to protect the company IT systems for his entire office staff! They probably pay more than that just to mow their lawn and trim the bushes outside of the office. A single ransomware event will probably cost that organization more than 50 times that when it happens!
Ransomware and related e-mail borne malware that can take out an entire server in minutes can be a very expensive consequence of an employee falling victim to a socially engineered e-mail who’s tricked into opening an infected email that then takes down the network. While ransomware email exploits have dropped in recent months, the surge in crypto-malware has more than offset that drop. While ransomware has decreased, it hasn’t gone away and the cost of recovering from such a destructive event plus the cost of lost productivity caused by the disruption is no small consequence. When all costs are considered ransomware events can run into the tens of thousands of dollars for even a small organization.
Why do hackers use socially engineered emails and media posts? Simple! It’s cheap, it’s easy and it works! What should they try to hack your network when it’s so much eassier to trick your employees into letting you in?
Industry statistic reveal that the #1 biggest security vulnerability in any organization is their own staff. Over 90% of all hacking and malware events is U.S. businesses can be directly attributable to employee errors or malfeasance. All of the hardware and software investments in security products can’t offset the risk of human error. Spending pennies per day to make your employees more aware of how to better protect your business and themselves seems a pretty easy call but . . .
To wrap up, it’s been proven in numerous studies that the #1 risk for you network is employee error and the most common delivery mechanism of threats to your business are e-mails and social media. Improving employee awareness of the risks they face every day not only with e-mail but weak passwords and general lax security practices should be a critical concern to every business.
Training should also not a “one and done” proposition. Keeping current fighting off those who would exploit your staff to gain access to your network is a constantly evolving proposition. Training must be consistent and constantly updated to stay abreast of the evolving threats you staff faces week after week. Like all processes you also have to constantly test the training to see how well the information is being retained by your employees. It’s critical that your staff be periodically tested with fake exploits to see how they react. If they fall for the fakes, it’s important that they experience follow-up training to improve their retention.
Certainly, you’ve got to keep investing in improved hardware and software threat mitigation processes like firewalls, intrusion detection devices and such but remember, the number #1 most exploited resources in your organization are your employees. Failing to recognize that will lead to eventual catastrophic results. Don’t be penny wise and pound foolish! Train your staff regularly on Security Awareness before it’s too late.
Jeff Hoffman is president of ACT Network Solutions, an IT Security Provider that has been serving the greater Chicago area for over 30 years. If you need help improving the security environment of your business, Jeff can be reached at email@example.com or by phone at (847) 639-7000.
The FBI recently reported that Business Email Compromise (BEC) scams cost businesses $5.3 billion between 2013 to 2016. Worse yet, cloud-security vendor Trend Micro predicts these losses will exceed $9 billion by the end of 2018.
How does a Business Email Compromise work?
Here’s an example. An elaborate BEC scam by Lithuanian Evaldas Rimasauskas convinced Facebook and Google employees to transfer tens of millions of dollars to him. Rimasauskas used invoices and corporate stamps to impersonate a foreign manufacturer.. While the scam was eventually detected, a security awareness training program could have prevented the problem in the first place. Even big companies often over-estimate the security awareness of their staffs and wind up paying the price.
What are the most common types of BEC exploits?
Fake Invoice Schemes
Attackers send a fake invoice, usually impersonating a foreign supplier
Attackers pretend to be a company executive and demand an urgent wire transfer from a junior employee
Attacker hacks an employee email account and requests payments from vendors
Attackers impersonate a lawyer or other official who handles confidential information, and requests more sensitive data.
Attackers target HR and accounting employees to steal sensitive data, including tax information.
How can I reduce the risk of BEC scams?
Motivate Your Workforce to Care About Security with recurring and consistent security awareness training. One-and-done training just doesn’t cut it !
You can send your employees realistic attack simulations to increase their awareness of BEC attacks. Simulation training shows them what to look for so that awareness is raised. If your employee falls victim to the simulated exploit, initiate a remedial training for them until they get it right.
Institute SPAM scrubbing technology on all incoming e-mails from a leader in malware detection to reduce the amount of BES exploits getting through to your staff.
Implement pattern recognition software that can detect confidential information in outgoing e-mails before it leaves your business to warning of confidential data leakage.
If you need help creating an effective security plan that includes BEC exploit protection, give us a call at (847) 639-7000 or e-mail firstname.lastname@example.org
The press release below from HHS about HIPAA penalties just came across my desk and I thought you might be interested. This $4.3 million penalty involved the Covered Entity failing to encrypt portable devices despite having policies in place that required that encryption be performed on all portable devices. This penalty against the University of Texas Cancer Center resulted from the theft of an un-encrypted laptop from the residence of an employee and the loss of two un-encrypted thumb drives containing the un-encrypted electronic protected health information (ePHI) of over 33,500 individuals.
This appears to be a case of the tech department not knowing the security policies or just flat out ignoring them. Healthcare providers can’t just take their tech staffs assurances of complete security protection for granted. There should always be an audit to insure that your rules are being followed and enforced.
What’s your policy on encrypting mobile/portable devices? Do you enforce that policy? Are all of the USB ports on your desktop PC’s turned off or at least set to encrypt any data that is written through them?
If you don’t know that answers to these questions, maybe it’s time to give me a call so we can develop a plan to deal with this Risk before someone steals one of your notebooks that contains patient information or an employee takes PHI off-site on a flash drive without your knowledge.
ACT Network Solutions
Department of Health and Human Services – Office of Civil Rights
Press Release Date: June 18, 2018
Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations
A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html
If you believe that a person or organization covered by the Privacy and Security Rules (a “covered entity”) violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.&NBSP; For additional information about how to file a complaint, visit OCR’s web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
Was your web site created with Drupal?
You might be a victim of a hijacking by Cryptocurrency Miners!
Jeremy Kirk of Data Breach Today reports that hundreds of web sites have been hacked and their sites are being used by Cryptocurrency miners at the expense of site performance by driving up CPU utilization for infected sites.
The website for San Diego Zoo is one of hundreds that have fallen victim to Monero miners via a flaw in Drupal code. A remote code execution vulnerability revealed in late March in the Drupal content management system is now being used on a large scale for mining virtual currency.
The number of websites that have fallen victim to cryptocurrency hijacking attacks now numbers more than 400. Various U.S. government sites, including the National Labor Relations Board and the Office of Inspector General of the U.S. Equal Employment Opportunity Commission, have also been hit.
The code planted on the infected websites “mines” the privacy-focused virtual currency Monero. Mining is the process that virtual currencies use to verify transactions on a blockchain. When users visit an infected website, their computer begins generating hashes as part of a pooled effort to complete a block for the blockchain. The mining ends, however, when someone closes the browser tab. If the blockchain is completed, the hackers are credited with a unit of the Monero cryptocurrency and the web host and the visitor that triggered the mining are non-the-wiser.
There are now extensions that users can employ on the client side to detect and stop virtual currency mining but the responsibility to truly stopping it relies on websites ensuring they’re not infected in the first place.
E-mail Phishing exploits exposed ATI Physical Therapy 35,000 patient records!
Hackers got access to employee email accounts belonging to several employees of Bolingbrook-based ATI Physical Therapy and stole information on 35,000 patients. The company noticed the problem in January when it appeared that payroll direct deposit records were changed in their payroll system for a number of employees.
This led to ATI hiring an independent forensics team that discovered that confidential personal health information for about 35,000 patients of ATI and some subsidiaries were breached.
The data breached varied by patient, but could include a combination of Social Security numbers, driver’s license or state identification numbers, Medicare or Medicaid identification numbers, and medical record numbers, along with a wide range of medical information.
Impacted patients were notified by mail and offered a year of free credit monitoring, along with a $1 million identity theft insurance policy.
Bolingbrook, Illinois based ATI Physical Therapy has over 100 clinics in Illinois.
The third-party forensics team determined that several employee email accounts were hacked between Jan. 9 and Jan. 12. It appears that some employees fell victim to a phishing scam email campaign that exposed both patient and employee confidential information.
The investigation is ongoing, and ATI officials said they’ve since strengthened email security to protect against future breaches. Employees were also provided additional training to better detect phishing emails.
In a separate incident in January, Florida’s Agency of Healthcare Administration reported a breach of 30,000 patient records after an employee also fell for a phishing email which allowed hackers to access Medicaid enrollee data, including some Social Security numbers.
A recent data security incident affected about 53,000 patients receiving services from Onco360 and CareMed Specialty Pharmacy. On November 30, 2017, a forensic investigation determined that an unauthorized user appeared to have gained access to email accounts of three employees. A detailed review of the impacted e-mail accounts was performed, and on January 8, 2018, it was determined that e-mails from those accounts may have contained demographic information, medication and clinical information, health insurance information and Social Security numbers of some of the patients receiving services from Onco360 and CareMed Specialty Pharmacy. Onco360 and CareMed Specialty Pharmacy are subsidiaries of PharMerica and located in Louisville, KY.
On Friday April 20, Twitter banned ads from Moscow-based Kaspersky Labs citing conflicts with advertising rules but also citing U.S. government claims that Kaspersky has ties to Russian intelligence agencies.
There have been rumblings for years in security circles that Kaspersky has been tied to Russian intelligence so this announcement actually didn’t surprise many people. There has never been any direct proof of cooperation been the company and the Russian government but the potential for backdoor entry points onto sensitive computers using one of the most popular anti-virus products on the market has raised security concerns around the world.
It must be pointed out that Kaspersky is a Russia-based company and their anti-malware software has been frequently rated highly by industry ratings services. The reported Russian hacking and disinformation activities during the last election has raised the public sensitivity to state-sponsored hacking.
Earlier in the year Washington charged that Kaspersky Lab has close ties to intelligence agencies in Moscow and its software could be used to enable Russian spying, which prompted the Trump administration to ban its products from U.S. government networks. Kaspersky has repeatedly denied those allegations and it has asked a U.S. federal court to overturn the American ban.
Department of Homeland Security cyber-security official Jeanette Manfra said her agency has not instructed U.S. companies to punish Kaspersky. “We laid out a very transparent process and how we came to our decision,” to ban Kaspersky products from government networks, she said at a panel at the RSA security conference in San Francisco. “I would defer to the companies for how they made their decisions.”
Kaspersky said that only Twitter has banned their advertising but other social media companies have taken action regarding Kaspersky Lab earlier. Facebook said it had removed Kaspersky Lab from a list of anti-virus offerings to users in January. Twitter also said it was responding to a Department of Homeland Security warning of a threat to national security posed by Russian government access to Kaspersky products.
The Czech Republic has extradited a Russian national, Yevgeniy Nikulin to the United States, where he’s accused of hacking attempts in the U.S. since 2012. A federal grand jury indicted him in 2016 for breaking into Dropbox, Formspring and LinkedIn. .
American prosecutors had been vying with Russia to extradite Nikulin ever since the FBI cooperated with Czech authorities to arrest him in 2016. After he was arrested in The Czech Republic, a court in Moscow issued its own arrest warrant for allegedly electronically stealing several thousand dollars within Webmoney back in 2009 to get him back to Russia. The Czech president, Milos Zeman predictably called for Nikulin to be handed back to Russia, but the country’s Justice Minister Robert Pelikan instead chose to send him to the US.
Nikulin is now in transit to the U.S. to stand trial. At this time it’s unclear what additional charges he may face. It’s not often the the U.S. receives cooperation from foreign governments like this so hopefully this is a possible hint that things may change in the future. We’ll see.
Daniel Burnham once said “Make no little plans; they have no magic to stir men’s blood and probably themselves will not be realized. Make big plans; aim high in hope and work, remembering that a noble, logical diagram once recorded will never die, but long after we are gone be a living thing, asserting itself with ever-growing insistency.”
Elon Musk must be the modern embodiment of that philosophy. He’s been a leader in so many different technological categories from electric cars, modern battery development, private space advancements and now his plans call for revolutionizing Internet communications.
On Thursday, Washington gave formal approval to a plan by Elon Musk’s SpaceX company to build a global broadband network using up to 4,425 low-Earth orbit satellites. SpaceX plans to launch a Falcon 9 rocket on April 2 at Cape Canaveral, Florida. “The rocket will carry a communications satellite,” the FAA said.
“This is an important step toward SpaceX building a next-generation satellite network that can link the globe with reliable and affordable broadband service, especially reaching those who are not yet connected,” SpaceX Chief Operating Officer Gwynne Shotwell said according to Reuters. About 14 million rural Americans and 1.2 million Americans on tribal lands lack mobile broadband even at relatively slow speeds.
The FCC said SpaceX has been granted authority to use frequencies in the Ka (20/30 GHz) and Ku (11/14 GHz) bands.
Musk, who is also the founder and chief executive of electric automaker Tesla Inc (TSLA.O), said in 2015 that SpaceX planned to launch a satellite-internet business that would help fund a future city on Mars.
Korea Olympics Hacked
Thanks to our friends at Barkly Protects, we’ve learned of a recent Malware attack at the South Korea Olympics.
Researchers have confirmed that a cyber-attack hit Olympic computer systems during the opening ceremonies on Friday. While information about the attack is limited, officials did acknowledge that some non-critical systems were affected by the attack.
Fortunately, damage was limited to non-critical systems but recovery still took roughly 12 hours. Organizers acknowledge that the attacker was operating with considerable knowledge of the Olympic infrastructure, which remains a significant cause for concern.
Researchers at Cisco's Talos group say they've been able to identify the malware samples utilized in the attack. It also appears that the perpetrators behind this attack were able to utilize a variety of technical details specific to the Olympic systems, including usernames, domain name, server name, and passwords.
It appears that the purpose of the attack was not to steal information but to spread quickly and knock down as many systems as possible. People in the industry are calling this exploit “Olympic Destroyer”.