trickbot malware

TrickBot: The Picky Malware

trickbot malware

It’s often assumed that malware is created to spread to as many recipients, as quickly as possible. With email and social media being the main channels for the spread, you might think that malware infects its victims randomly. However, that’s not always the case. Some malware go after the big fish, targeting only a specific kind of audience, or even an industry sector.

One such malware that has gained media coverage for mimicking Wannacry is TrickBot. Around late 2016, TrickBot was originally engineered by hackers to resemble yet another malware called Dyre Trojan in terms of its stealthy infection methods, which include customized redirection attacks, and the way it reaches new endpoints. However, some believe TrickBot was also inspired by Wannacry in its adoption of a worm module to incorporate self-spreading capabilities.

While the characteristics of TrickBot may resemble other Trojan malware, it is pretty unique in terms of its preferred methods of attack, target, and geographical presence. So how does it work and who does it target?

How TrickBot Is Different

The masterminds behind TrickBot use an email spam campaign to spread their malware, using malicious files and attachments in emails as a way to avoid detection by malware scanning software. Those spreading the TrickBot malware have also become experts at using redirection attacks to their advantage.

While other Trojan malware popularized the redirection technique in 2014, TrickBot took it a step further. Most are familiar with how a simple redirection attack works — users are redirected to counterfeit sites hosted on a malicious server where hackers can elicit sensitive information like login credentials or financial information.

A careful user under a simple redirection attack might notice the suspicious change in web address after clicking on a link. However, TrickBot uses an advanced technique in which, instead of hosting a fake website on separate servers, a “live connection” is kept with the original webpage. Therefore, the victim is less suspicious of the site since the correct URL is displayed in the web address bar and the page’s digital certificate, if SSL is enabled.

TrickBot’s Global Takeover in the Banking Industry

Targeting financial institutions and banking sites elicits the most gains for those behind TrickBot. Because of their ability to redirect users to copy-cat sites, hackers can mimic authentic-looking banking sites and trick users into revealing their personal information. With the malware, hackers can extract and steal login credentials, authentication and security codes, and other personally identifiable information (PII) with which they use to convert into monetary gains.

Therefore, by focusing on private banks, wealth management firms, and other types of investment banking, TrickBot has been wildly successful. When it first emerged, it was targeting mainly the English-speaking world — US, Australia, Canada, Singapore and so on — but now its spread spans over 24 countries. This includes financial institutions in India, Malaysia, Israel, United Arab Emirates, Finland, Germany and other parts of Europe.

TrickBot has been deemed the “first and only banking Trojan” to spread across this many regions and be dynamic enough to succeed in such diverse linguistic contexts. With research by IBM X-Force indicating that TrickBot currently accounts for 4% of all attacks on a global scale, TrickBot will likely expand its attack scope with increased activity worldwide.

Fighting against malware is a major struggle for many businesses, but knowing which kind of cyber attacks are most prevalent in which industries is a great place to start. The next step, of course, should involve preventive actions. Learn more in our other post on how businesses can keep their websites protected from malware, even from a sneaky malware like TrickBot.

biometrics in action

Biometrics in Action: Where Are Popular Forms of Authentication Being Used?

biometrics in action

We’ve discussed the differences between two-factor authentication (2FA) and multi-factor authentication (MFA) in a blog post over at Cloudbric, and one of the differentiating factors discussed was inherence factors. Inherence factors are criteria that relate to “something you are,” and therefore include identifiable biometric characteristics — iris scans, fingerprints, voice authentication all fall under this category.

Because hackers are developing more sophisticated methods for cracking passwords, the extra layers of authentication that businesses have to integrate can complicate the process greatly for users and employees. This is why businesses are naturally turning to single sign-on (SSO) options to carefully secure their information. SSO utilizes elements from 2FA and MFA with a growing trend of utilizing biometrics identification in particular. Businesses have noted that biometric authentication has helped increase security, convenience, and cost savings as they provide stronger security and reliability. So how is biometric authentication being used across different industries?

Iris scans

Because a person’s iris remains stable throughout an individual’s entire lifespan, iris scans serve as a suitable form of authentication in differentiating the identity of one individual from the next. An iris scan utilizes mathematical patterns to distinguish each unique iris by observing a high quality, undistorted image of it. It is then compared against patterns in a database until a match is found. Iris scans are deemed one of the most accurate ways of identifying a person due to its ability to recognize a distinct iris rapidly with low error rates.

Unfortunately, as cool as it sounds, only a handful of industries are utilizing iris scans with installations primarily in the military and government. In the government sector, immigration centers are using iris scans to better streamline nationals entering the country, facilitating a much faster authentication process. In airports, it is also used to expedite security clearance for airline crew members, once again streamlining operations so flights may depart and arrive in a timely manner.

Recently, law enforcement has begun to pick up on the trend, but not without backlash over privacy protections. The FBI for example has collected 430,000 iris scans for a “pilot program” in order to test a new kind of surveillance technology. These iris scans would allow for criminals and or suspects to be identified or tracked down more quickly.

Fingerprints

By now, you’re probably accustomed to using your fingerprint as a method for unlocking your smartphone, but fingerprints have their uses in a multitude of places. Your fingerprint patterns are formed by the unique ridges and furrows of your fingertips. Like iris scans, fingerprints will remain the same throughout an individual’s entire life. In fact, no two fingerprints are alike, even for identical twins. After being scanned, fingerprints are tested against an existing database and compared against all other stored fingerprint patterns to find a match.

Besides its usefulness in law enforcement, private companies have also begun to utilize fingerprints to verify identities. In the service/hospitality sector, hotels have used fingerprints as a way for guests to access their rooms. This offers a more secure way than hotel cards or keys, which could easily be lost or stolen, to access certain services. With the introduction of authentication through fingerprints, companies are considering doing away with “smart” cards. Previously, these smart cards allowed for a smooth experience for the guest staying at the hotels by allowing them to pay for certain services, check in and out, or even save preferences through the smart card. The fingerprint could do all that — and even better, by being more secure and convenient at the same time.

Voice Authentication

Voice as a form of authentication works in a slightly different way than iris scans or fingerprints. This is due to the fact that the physical presence is not necessarily required and voice authentication can be done remotely. An added benefit is that it is less intrusive than an iris scan. However, voice recognition works similarly in other ways. A user first records samples of their voice, which are stored in a database and referred to as a voiceprint. At the time the authentication is being requested, the individual’s voice must match the voiceprint for authentication to be granted.

Because of its benefits and feasibility, voice authentication is the most widely used across different industries, primarily in commerce and finance, finding a niche with banks and security in particular. Utilizing voice authentication in mobile banking, kiosks, ATMs, and safety deposit lockers makes it easier to verify  a person’s identity before they are allowed to use those services.

While industries using biometrics as a way to verify the identity of their customers are increasing in number, the idea is still relatively new. With potential benefits of reducing operational costs, streamlining processes for gaining access to services or reaching destinations faster, more authentication solutions will likely incorporate biometric elements in the future.

electric-car-2728143_1280

Electric Vehicle Charging Infrastructure and the Cloud: So Many Possibilities, So Much Risk

Automobiles and the Cloud are merging, and the charging stations needed to operate Electric Vehicles (EVs) are no exception to this convergence. Bringing the Cloud closer to EV charging stations allows for a bevy of new possibilities, including a Common Charging Systems (CCS) platform that allows drivers to use EVs on long trips and charge up even when far away from home. But because the Cloud is based on the Internet, it also brings a lot of risk that demands a cohesive security and privacy protection strategy. This column will discuss some of the possibilities generated by new features and services, as well as cover the inherent risks of linking our EV charging stations with the Cloud. Four key recommendations to deal with these risks will follow.

electric-car-2728143_1280

The Possibilities: Bringing the Smart Grid to EV Charging

State-of-the-art EV charging stations utilize the Smart Grid, an electric supply network that uses Information & Communications Technology (ICT) to detect usage. Generally speaking, this means that these charging stations harness the power of ICT to process financial transactions and other services, in addition to supplying the actual EV fuel (i.e., electric power) itself. This infrastructure can optimize efficient energy utilization with interactive and real-time information exchange to manage power transmission, power consumption, authentication, payment, and other energy-related services.

It’s difficult to overestimate the impact an ICT-driven EV car-charging infrastructure would have on our daily lives. Let’s just address three segments: 1) electricity suppliers, 2) car owners, and 3) charging station operators (i.e., the equivalent of gas stations for petrol cars).

The introduction of ICT into EV charging is expected to result in more accurate energy consumption billings, which is attractive to utility companies and/or utility brokers. While paltry when compared against petroleum, electric power required to run these cars can still generate considerable costs. Inaccurate dispensing of fuel hurts suppliers’ bottom lines, and therefore should matter to shareholders. This impact on performance can only be expected to become more significant as more EVs hit the road. The Smart Grid, when utilized and secured correctly, can assure the integrity of usage rates in a way that was previously not possible.

For car owners, this technological advancement toward a CCS standard means more charging stations, since they will be cheaper and easier for service providers to install than their previous-generation counterparts. Also, this technology may improve services or introduce new ones, powered by the massive amount of user data that would be gathered through the Cloud. A uniform CCS standard would also make the equivalent of “data/text roaming” a possibility for electric vehicle owners. Just as phones work in foreign countries with roaming enabled, the CCS system is expected to allow drivers to drive to other regions and use charging stations there as conveniently as they would back in their home city. For instance, the transition from a membership-based charging facility to a standard CCS infrastructure is already happening in Europe, where residents can drive freely within the European Union territory.

But what about people who will install and operate EV charging stations, much like the way that petroleum cars have gas stations today? Up to now, EV charging stations have been limited to bulky and expensive equipment that run on Point-of-Sale technology. Due to their high costs to purchase and operate, these stations have only been deployed in a small number of locations. By applying ICT technology, these charging stations are expected to be much lighter, both in terms of hardware and software required to run them. This will allow more charge stations to be built in the future, resulting in a more robust charging infrastructure for EVs.

Risks of Bringing the Cloud to EV Charging Stations

But all of these advancements and advantages come with a steep price. The ICT technology required to make all of this possible is extremely vulnerable to cyber attack. After all, the Cloud is powered by the Internet, and the Internet, while an open platform that makes most of the convenience we enjoy today possible, also attracts an endless brood of bad actors with bad intentions. Let’s address the groups who benefited greatly in the last section – electric providers, car owners, and charging station operators.

For electric power operators, CCS presents a profound dilemma. At first glance, following a CCS standard that is connected to the web offers tremendous upsides: more customers to serve, an attractive accounting system that allows for accurate billing, and even ancillary services to provide new revenue streams. But then come the downsides of the Cloud – the same Cloud which enables all of these attractive possibilities can be broken into by hackers to steal power, consumer information, or in some cases even shut down access. Indeed, the buzz of the possibilities of this new future is undermined by the sobering reality that hackers will try to cause havoc. Much like the internet itself, a new way to do things for the electric provider is simultaneously a new and green field for hackers to exploit.

For drivers, the availability of electric power at these stations could be undermined by attacks. The absence of fuel could at the very least be an inconvenience but at its worst, could inspire massive panic throughout a given region. Just as important, drivers’ private data, including the GPS location of their vehicles, financial information stored in the back server to process transactions, and others can be stolen by hackers.

For infrastructure providers/operators, a hacking incident could simply cut off business for the duration of the attack. Since almost no infrastructure provider will have the IT security know-how necessary to address attacks, nor would they want to fiddle with their IT system for fear of causing further damage, these charging station operators would be entirely dependent on their suppliers and service providers until they can be back in business. Moreover, repeated attacks would undeniably result in damage to reputation as a provider.

Four Thoughts on EV Charging Infrastructure Security

We’ve seen that there is a tremendous upside as well as a myriad of risks to linking the Cloud with EV car charging. However, there are some general guidelines, backed with proven and available technologies, to minimize risks to the point of mutually assured operations between involved entities, including the three listed above.

Build a Safe ICT Infrastructure in the Cloud

Unlike previous years, providers cannot launch their services without building a safe network, or “safe house,” as the starting point towards secure and trusted communications. Why? Because we are becoming increasingly dependent on machines to make critical decisions on our behalf, and in order to run these machines with trust, we need to make sure a plan is in place to build infrastructure with security in mind.

A safe house not only implies secure coding (and the updates thereto) of software; it would also have preventive measures in place to fight against the leakage of private data. Furthermore, a safe network would also have solutions embedded within it to detect suspicious activities and entities following installation and launch.

This requirement is not limited to the charging station network itself; it would also extend to the ICT infrastructure providing the electrical power and other third-party services. That refers to the network, on which web servers provide various services, and in which the confidential information of end-users would be collected and made readily available to process any transaction. These providers need to have a back-end network that has been built with security in mind. Their web servers must observe traffic coming in and out, in order to block out most of the attacks through the web. They may be legally obligated to encrypt customer information when not being used. They may need to manage how much and what levels of access employees and/or customers will have. These are all difficult hurdles to overcome, but it is nonetheless critical that these questions be answered prior to opening them up to third-party services.

Guard Critical Infrastructure Against External Attacks

Let’s assume that a CCS standard charging station is launched after a reasonably safe network has been built. The moment this network is open to all the endpoints that are dependent on them would make it vulnerable to new, external attacks coming in along with legitimate customers. Therefore, a strategy needs to be in place to mitigate new attacks coming in from the outside. There are a variety of different solutions to fight against new attacks in the back server, such as network firewalls, IDS/IPS, web firewalls, etc. The endpoints themselves – the charging stations – must also have some answer against external attacks in the form of a specialized firewall.

Authenticate Users and Service Providers

Once a safe network that can mitigate against external attacks has been built, the next step is to authenticate all parties involved for complete trust. This would assure all parties that the right person is making the right request at a permissible time, in addition to any other conditions that would need to be fulfilled for trusted transactions. For this to be possible, not only would the car owner need to be authenticated on all transaction requests, authentication from the service provider’s side would also need to be in place.

Encrypt Communications to Preserve Privacy

Providing a safe channel of communication between the service provider and the car owner would be another key component of a safe EV charging infrastructure. Geolocation data and other personal information should be transmitted encrypted from both the client side (i.e., the station where the charging is taking place) and the server side (the safe network that can block against external attacks).

Conclusion

Like any new technology, the merging of cars with the Cloud through an ICT-powered CCS infrastructure brings about a lot of opportunities and risks. Unlike other technologies, this infrastructure needs to be built and then managed with security and privacy protection in mind.  The integrity of power delivery, payment processing, privacy of customer information are all important issues to be managed by service providers in the coming years.

In spite of the inherent risks involved, the march of progress dictates that we embrace new ICT-driven technology to replace outdated EV charging stations that are too expensive and difficult to operate. By paying attention to security prior to connecting, I think that we can expect a significant rise in not only EVs, but the rolling out of charging stations needed to keep these vehicles on the road.


Jaeson Yoo serves as Chief Security Evangelist for Penta Security Systems Inc.  With over five years of IT Security consulting and public speaking experience for automobiles, IoT, PKI authentication, web security and data encryption, Jaeson brings Penta Security’s proprietary core technologies closer to partners and customers all over the globe.

 

website security plugins limitations

The Limitations of Website Security Plugins

website security plugins limitationsIf you’re a website owner, you’re probably using a myriad of plugins either to add additional functionalities to your website or simply enhance its aesthetics. You might even be using a security plugin on your site. However, though affordable and convenient, website security plugins may cause complications and may not even be protecting your site as well as you’d desire them to.

As the most popular CMS, WordPress’ depository is filled with hundreds of security plugins. Many users assume that simply installing a security plugin will prevent their sites from getting hacked. While we don’t intend to discourage the use of security plugins, users should be aware of the possible downsides associated with the plugins. The following are potential issues you may come across:

1. Login inaccessibility

For any CMS, the admin login page is undoubtedly the most highly targeted by hackers since it can allow them unauthorized access to your website. That is why a plugin that limits the number of login attempts can be useful to many website owners. However, certain security plugins have the potential to lock admins out of their own site, and as a webmaster or admin, nothing is worse than being unable to access your website.

Though they can help prevent brute force attacks or even denial of service (DoS) attacks at times when the high traffic is aimed at the admin login page, these security plugins have their setbacks. If you forget your password and attempt to login multiple times or if multiple logins are happening at once, this might trigger an issue with the plugin.

2. Customer support issues

For most CMS platforms, there is rarely a specialized technical support team that handles inquiries in real time to deal with issues you may face with these security plugins. Typically, customer support comes in the form of support threads and forums or something similar. WordPress for example has one that like looks like this. Because users are utilizing different themes and using a combination of different plugins, each situation is unique. This makes it difficult to get a clear cut answer most of the time, which also means your ability to respond promptly to hacking incidents is restricted. Oftentimes, you’ll already be too late.

Another major downside with security plugins is not having a platform to report a security issue. Security these days is offered as a service, either paid or unpaid. And because it’s a service, it typically comes with quality technical or customer support, guiding users each step along the way, unlike with security plugins.

3. The “untrustworthiness” factor of security plugins

While there are a number of plugins available, not all come from a trusted entity. These days it’s easy for anyone to develop a plugin and make it available for anyone to download online.

As a website owner, it is up to you to evaluate the plugin and decide if it’s reliable. When a plugin has not been updated in months or years and has been left in the wild, so to speak, it opens up the possibility of it messing with your current CMS version or exposing you to potential risks and threats that come with the outdated plugin. Just because a plugin was highly commented and reviewed in the past doesn’t mean it will be a good fit for your current website.

4. Inability to handle zero day vulnerabilities or modified attacks

Security is never perfect, but relying solely on security plugins exposes you to certain kinds of attacks that can’t be thwarted with a mere plugin. There is no straightforward way to address zero day attacks for example, because the hacker has already exploited a vulnerability before the security vendor even takes notice.

This means that even if your security plugin updates automatically, you won’t be entirely protected. Even a highly rated Web Application Firewall (WAF) plugin would not be able to capture the full scope of potential attacks. In addition, false positives, which refer to legitimate traffic mistakenly identified as malicious, may cause you to lose precious site visitors among other things.

Perhaps the fact that a security plugin is free is appealing to many, but sometimes that can do more bad than good, especially when you care about securing your website. Plugins are great if you are a casual blogger, but if you have a huge following or run an ecommerce site, security plugins may not be adequate. Luckily there are other ways to secure your site which offer amplified protection at little to no cost at all. We are not suggesting to take a passive approach to security but are in fact encouraging the adoption of other security alternatives. For more on what you can do to actively protect your website, check out this blog post on a guide to the three layers of website protection.

iot security importance for all

Why You Should Care About IoT Security

iot security importance for all

You might not be one of the two-thirds of Americans currently owning and utilizing IoT (Internet of Things) devices, so news on IoT security may not pique your interest or alarm you, but it should. IoT security affects you in more ways than you realize. With IoT quickly progressing, it’s not just the number of connected devices that are skyrocketing but the number of industries that are utilizing them is also increasing and shaping the way society functions. For example, IoT devices in the service industry are monitoring and controlling vital resources like water supply, natural gas, and electricity. With such a penetrative extent of connectivity in our daily lives, IoT has the potential to affect us in more ways (and not all good) than we could have imagined.

Malware and IoT security

Hackers can harness IoT vulnerabilities to overtake computer systems and affect even non-IoT owners in the form of botnets and network traffic hijacking. This is possible because there isn’t much difference between malware found in laptops or PCs and malware found in IoT devices. Malware is defined as malicious software that can take on the form of executable codes, scripts, and so on to infect a computer system. By their nature, IoT devices are simply internet-connected computers placed inside some kind of device, meaning IoT devices don’t get a free pass from exploitation. In fact, IoT devices may be even more vulnerable than personal PCs.

Due to their limited operating systems and processing powers, IoT devices are created and unleashed onto the market without the most advanced security practices in mind. As a result, malware and other types of exploitations are a major problem for IoT devices. In some cases, changing the default password might not even be an option, even if you wanted to, thus making them extremely susceptible to attacks.

DDoS, botnets, and more

Nowadays, it’s become a trend for hackers to target vulnerable IoT devices and use them to form a botnet, in most cases to carry out DDoS attacks. What’s more shocking is that users who own IoT devices may already be part of a botnet and not even know it. This scenario is not something new as we’ve seen it play out in the attack on the global DNS provider Dyn, in which hackers severely disrupted the Internet, bringing down mainstream websites and online services by hacking into digital cameras and DVR players.

This is just one of the many instances that show us how IoT hacking can affect regular users indirectly. Moreover, it isn’t limited to just botnet and DDoS attacks. Infected devices can also hack into local networks to monitor network traffic and disseminate this information to a third party without your permission. Furthermore, there is also the chance of IoT devices being used as proxies that “anonymize” traffic, allowing them to infiltrate your IP webcams or TV streaming boxes.


Hence, even if you don’t own an IoT device, many industries are using IoT devices, which means your privacy and sometimes even physical safety can be at risk. The medical industry for example often relies on IoT devices for testing, managing, and treating patients. And it’s the same old tale – default passwords account for the fall of the majority of medical IoT devices. Not to mention, critical public infrastructure, that we rely on for key necessities like water and electricity, are also susceptible to attacks. In a nutshell, whether you own an IoT device or not, users are indirectly affected to some extent as most have no control over the security measures in infrastructural IoT that we are subscribed to. 

Future of IoT


It will be impossible to avoid IoT security forever. With connected cars already transforming the automobile industry, it’s estimated that 75% of cars shipped globally will be equipped with hardware and software that connect to the Internet. Already, we are seeing users having the ability to stream music, look up certain services besides navigation online, be alerted of traffic and weather conditions, as well as receive driving assistance.

Security for IoT should be a topic of concern for everyone, whether you own an IoT device or not. With the IoT market rapidly growing, more emphasis is being placed on the security aspect of these connected devices, but for now IoT devices should still be kept on a close watch due their inherent vulnerability and ability to indirectly affect the security of even non-owners.

detect and respond cybersecurity

The Flaws with Detect and Respond

detect and respond cybersecurity

There has been a lot of discussion around Detect and Respond but there remains a number of misconceptions and misunderstandings about this particular cyber security framework. Many companies hold the notion that perfect security isn’t achievable, and perhaps they’ve given up hope on blocking cyber attacks through preventive measures. Therefore, most flock to Detect and Respond instead. But Detect and Respond has its own pitfalls, which we’ll cover in this blog piece.

What classifies as Detect and Respond?

The Detect and Respond framework, in the realm of cyber security, refers to the ability to discover cybersecurity incidents in a timely manner (“detect”) and develop as well as implement the appropriate actions to take against such cybersecurity incidents (“respond”).

As a result, the “detect” aspect of the framework includes security approaches and technologies that support continuous security monitoring, and the “response” aspect includes response planning and mitigation. It’s false to assume that solely implementing Detect and Respond capabilities can make up for a weak implementation of preventive measures (vulnerability management systems, intrusion prevention systems, WAF) against cyber threats.This is a particularly dangerous mindset.  

Detect and Respond Pitfalls

The major flaw with Detect and Respond is that once a cyber attack is in full effect, for example a malware infestation that has taken over a system, then it becomes really hard to tell the immediate impact of such an attack. This makes detecting and responding even more difficult. Consider the following analogy: Detect and Respond is like monitoring the activity within your brick and mortar shop through security cameras…but without someone behind the seats monitoring those security cameras 24/7 and with no installed alarms to notify you.

To find out if you’ve been robbed, you’ll have to personally check the footage in the next few hours or the following morning. Moreover, if a burglar did manage to break inside and steal something, then it becomes harder to respond to the situation since: A) the burglar might be unidentifiable, having probably worn a mask, thus making it challenging for police to track down and B) the likelihood of retrieving those stolen items is almost close to zero.

Preventive methods

One thing’s for sure: no company would implement the above security strategy if Detect and Respond were explained through that analogy. This is not to say that Detect and Respond does not or should not play an important role in your security strategy. However, once a company comes under attack, just having Detect and Respond capabilities does not suffice and it is predicted the company will likely suffer monetary losses, too. Solely relying on preventive measures does not work either as that simply presents a false sense of security.

Take for example the different cases with data breaches. The cause of the breach may have been the result of weak or stolen passwords. But that doesn’t equate to the same thing, as weak passwords are not the same as stolen passwords. Preventive measures would protect against weak passwords by ensuring that passwords are not set to its default (e.g. password, admin), and Detect and Respond would deal with monitoring the stolen passwords and the respective accounts. As exemplified, the best cyber security strategy for any business should always include both, Detect and Respond as well as preventive measures.

Medical Devices With Exposed Vulnerabilities

5 Medical Devices with Exposed Vulnerabilities

Medical Devices With Exposed Vulnerabilities

The medical field has changed for the better, with technology allowing people to live longer and lead healthier lives with fewer health complications. Unfortunately, as medical devices become more advanced with the Internet of Things (IoT) introduced into the picture, security concerns arise. It wasn’t just the recent WannaCry ransomware attack that demonstrated the vulnerability of medical systems. When UK hospitals were hit with WannaCry, it showed just how vulnerable hospitals are worldwide if they rely on IoT without considering the security implications. So in this blog post, we’ve complied five medical devices that are known to have security flaws.

1. Pacemakers

The security research firm WhiteScole conducted a security assessment on cardiac devices and home monitoring devices from four major manufacturers in the healthcare sector. Within peacemakers devices alone, they discovered 8,000 vulnerabilities. A major reason why pacemakers and similar devices contain so many vulnerabilities is mainly due to the fact that many vendors purchase third-party components for their software or hardware. More often than not, these components have vulnerabilities that go undetected and unpatched.  

2. Magnetic Resonance Imaging (MRI) machines

In a separate medical analysis by two security researchers, the verdict was the same: thousands of medical devices, from imaging machines to nuclear medicine devices, were found to be extremely vulnerable. Within an undisclosed healthcare organization in the US, the team found security flaws in 68,000 of their medical systems, which affected 97 MRI scanners. These security holes would potentially allow hackers remote administrative access to the devices. These devices were relatively easy to breach since many systems had maintained their default passwords or had no passwords set up at all. In fact, tens of thousands of login attempts were found to be made aimed at unauthorized access of the MRI machines.

3. Implanted defibrillators

In addition to pacemakers, implanted defibrillators have also been known to have security vulnerabilities. Used to monitor a heart’s electrical activity, they are important for sensing dangerous rhythms and delivering shocks. They can be monitored via radio transmitters. If a hacker is able to hack into the radio transmissions through the communication protocol for example, it’s just a matter of time before they gain complete control over the device, where it can even be reprogrammed. This can be disastrous if a hacker is successful in resetting the defibrillator clock and preventing the device from responding to cardiac/arrhythmic actions.

4. Insulin pumps

Pacemakers and defibrillators aren’t the only medical devices of hot debate; insulin pumps have also been found to be vulnerable to hacking due to major security bugs. As a medical device that’s commonly attached to patients’ bodies, these pumps inject insulin into the bloodstream through catheters. In fact, Johnson & Johnson was one of the first manufacturers to issue a security warning to its patients about the potential security vulnerabilities with its insulin pumps. Consequences can be unimaginable should a hacker gain access to these pumps such as overdosing a patient with insulin. The company, however, maintains its claims that the risk is extremely low.

5. Mammography equipment

Two security researchers discovered password vulnerabilities in medical devices like mammography equipment. These medical devices are managed by computers through a firmware, and only technicians who have access to the management can make adjustments including changing passwords. As such, all a hacker needs to do is gain access to the password and reprogram the device to provide inaccurate readings. In total, the researchers found 300 backdoor passwords for the medical devices they studied.

One of the major problems with medical systems is that many of the medical devices relying and operating on computers are likely running on Windows XP or some older operating system where security bug patches and vulnerabilities are not updated as frequently as we might expect. Furthermore, there may be a lack of IT security teams or administrators to implement basic security practices like installing basic antivirus solutions, thus allowing unauthorized access to the system. Because patients rely on these devices for their health, it’s important for healthcare organizations to practice the best security practices.

10-cyber-security-lingo

Top 10 Cyber Security Lingo You Need to Know

10-cyber-security-lingo

“Jargon” is defined as a set of words that are used by a particular group, usually in a specific industry or profession, and difficult for others to understand. However, within the context of cyber security, certain jargon is starting to make its way into mainstream conversation and news, hinting at the increasing importance in understanding what these words mean. We’ve laid out our top 10 cyber security lingo that just might come in handy in your next conversation.

Phishing
21

Much like how a fisherman catches fish with bait, a “phisher” lures innocent victims into giving away their personal information. While this method used to be largely executed over the phone or even over text messaging, in recent years, phishers have transitioned to e-mails and websites as their weapons of choice.

Phishing works by spoofing sites, making it seem as if the user is looking at a legitimate website. They’ll trick users into updating their billing information, or even conducting transactions – resulting in loss of money, and in some cases loss of identity.

VPN
19

A VPN, or Virtual Private Network, is a method that adds privacy and security when users access potentially unsafe networks. Normally, when trying to connect to the internet, users pass through their Internet Service Provider (ISP) and the traffic is viewable by the ISP. However, when you’re using a VPN, connections are encrypted meaning that your ISP is left out of the loop.

Many people use VPNs to keep their information secure through the encrypted connection, or to utilize the IP of the VPN server. By hiding their real IP address, users may be able to use services that were previously barred for them.

Back Door
4

When cyber attacks occur, there’s always talk about a secret way that hackers accessed the system when it was supposed to be safe. This is called a back door – a way to get into a system, product, or device by installing software or configuring the software to bypass existing security mechanisms.

Most recently, we saw through the “NotPetya” attacks that a backdoor was written into updates in a Ukrainian software firm’s accounting software, allowing for potentially 1 million computers to be compromised.

Keylogger
5

To add onto the scariness that is a back door, a keylogger is spyware or monitoring software that keeps track of every key typed on your keyboard. This means that usernames, passwords, social security numbers… virtually every piece of information typed onto a keyboard is fair game for a malicious hacker.

While there are legitimate uses for keyloggers (perhaps a parent is watching over their child’s activity), most of the time, cyber criminals utilize keyloggers to gain access to financial accounts or networking accounts. Just this past month, two Latvian men were arrested on charges of providing keyloggers as a service.

SSL
9

SSL, or Secure Socket Layer, is a must for websites – especially if they handle sensitive information like credit cards or client names and addresses. SSL ensures a secure, encrypted connection between a browser and a server. Why is this important? While current speeds of the internet make it seem as if information is transferred from point A to point B automatically, in reality, any computer in between the browser and server is able to see unencrypted information. However, SSL prevents that by making sure that only the intended recipient is able to see the sensitive information.

How do you know if your site utilizes SSL? The URL will have HTTPS (hyper text transfer protocol secure), as opposed to just HTTP (hyper text transfer protocol). Check with your hosting provider or security service about what SSL options they offer.

2FA
6

We use this next acronym a lot when we’re talking about authorization and authentication for applications. 2FA, or two-factor authentication, is a type of authentication method where the proof of a user’s identity is gained by two independent sources. This might be a password and your fingerprint ID, or perhaps a username-password combo and a code from an OTP (one-time password) token.

With people still using silly combinations like hello or 123456 as their username or password, 2FA adds on an extra protective layer, making it a bit more difficult for an intruder to gain access to a user’s data.

FIDO
24

The best password is simple, secure, and unique… that’s the philosophy behind FIDO, or Fast Identity Online. FIDO is a set of security specifications supporting multi-factor authentication and public key cryptography. FIDO-compliant authentication means that users don’t have to use the traditional username and password combo, but instead use biometric authentication which can include fingerprints to irises.

When on a remote device, users can still utilize FIDO authentication through 2FA, using both an authorized device (such as a USB drive) and a separate PIN.

Dark Web
25

Though many of us use the internet for everyday purposes like buying commercial goods, communicating with peers, or checking up on the news, there are web users who have been using the web for more sinister purposes. The Dark Web is a part of the World Wide Web that’s only accessible by installing special software. It then allows users to access an encrypted network where users and operators remain anonymous and untraceable. Because it’s so hidden, this is a haven for illegal activities.

WAF
02

A WAF, or  “Web Application Firewall” is a device that filters, monitors, and blocks traffic to and from a web application. Many people have heard the term “firewall” but a WAF differs by filtering content of specific web applications, because the majority of cyber attacks target the application layer. WAFs function in a variety of ways but a majority of traditional web application firewalls utilize a signature method, where regular updates are necessary in order to make sure that malicious traffic is blocked.

However, there are options available where WAFs use a logic-based detection engine where rule-sets for certain characteristics of malicious traffic are analyzed to block traffic. This results in more accurate detections – a must for businesses who want to retain their customers.

SECaaS
10

With the rise of cyber threats and attacks, companies of all sizes and even individuals are starting to realize the grave consequences they could face if they were to ignore the need for security. This new insight has led to the rise of SECaaS, or “security-as-a-service” where security services are provided on a subscription basis. This means that individuals or smaller businesses who may not have an adequate budget for utilizing security appliances can still apply security in a more cost-effective way.

SECaaS is clearly skyrocketing, and it’s estimated that by 2020, “85% of large enterprises will be using a cloud access security broker solution for their cloud services.” That’s up from 5% in 2015.


These are our top 10 picks for must-know cyber security lingo – do you have any other favorites? Feel free to contact us on our Facebook page, where we regularly introduce new jargon with simple explanations you can understand. Who knows? Maybe you’ll see your word next week!

db database encryption

Debunking 5 DB Encryption Misconceptions

 

db database encryption

Businesses handle an enormous amount of data. All of this data is stored in hundreds or even thousands of databases, so it’s impractical for a database administrator to oversee the security of these databases with only basic access control functions. Instead, businesses are realizing that data encryption is a must-have component to their existing cyber security strategies. DB encryption ensures that a database is being protected even if hackers somehow replicate the database or move it to another location.

While critical to a business’s cyber security strategy, DB encryption isn’t always deployed by businesses. But thankfully, there is a positive trend occurring: in the past few years database encryption usage among businesses in the US has risen from 42% to 61%. This blog post will address five misconceptions that put to rest some concerns businesses may have before implementing DB encryption.

1. I use SSL so I don’t need DB encryption

SSL involves encrypting communication between a web user and web browser, but does not take into account data that is at “rest,” or data that is stored in a database. In other words, SSL ensures secure connection for the data that is in motion (at the time that requests are being made to the web browser). SSL is important for encrypting web traffic but there is also unprotected data that is being stored either on a disk or database which SSL does not take into account and therefore needs added protection.

2. If I use DB encryption, database performance will degrade

The performance of a database is determined by multiple factors such as excessive indexing and inefficient memory allocation. While businesses may be reluctant to incorporate database encryption into their existing security deployments due to performance or latency concerns, businesses should be reminded that it really depends on the type of DB encryption solution a business decides to utilize, whether that be file-level or column-level encryption. Typically, file-level encryption is the least resource intensive and has the least effect on the overall performance of a database.

3. Encrypting the database is enough protection for my website

Even if the security of a database is compromised, the database will be protected if the information inside is encrypted. But this doesn’t mean that the website itself will be safe  should it come under attack. Thankfully, with no access to the decryption key, a hacker cannot read files that are encrypted in a stored database. Businesses can rest assured that their most sensitive data is being protected. However, the website can still be brought down by attacks. In order to protect web applications (i.e. websites) an additional security solution will be needed.

4. DB encryption and key management requires hardware appliances, which is inconvenient

These days it’s pretty common for key management solutions to be available in a variety of both hardware and cloud platforms. But it mostly depends on where a business may be storing company data or what kind of needs they have. Not all businesses have their own data center. Instead, many rely on some kind of Software-as-a-service (SaaS) solution, removing the need to rely on hardware appliances. Therefore, it’s less likely that the traditional key management solution is implemented internally.

5. DB encryption is too complicated and requires modifications to my current operating system

Once a business answers basic questions like what kind of data needs to be encrypted and who should have authorized access to it, database encryption should not be complicated. Encryption is made easy thanks to the readily available tools in the market that cater to the needs of each business. There are plenty of DB encryption solutions that reside beneath the application layer, thereby eliminating the need to make modifications to a business’s operating system or storage. If an encryption engine is supplied for example, then no source code changes to the database environment or application are required.

Businesses should not shy away from using DB encryption due to these common misconceptions. DB encryption is not so much of a trend than it is a security necessity for all businesses. The drivers for using database encryption come down to compliance requirements and businesses recognizing the need to protect specific data types. So whether it’s to meet industry standards or to safeguard sensitive information, DB encryption is here to stay.

bring your own device (BYOD)

Bring Your Own Device (BYOD) Security Pitfalls

bring your own device

The Bring Your Own Device (BYOD) movement is gaining a strong foothold in the US with 72% of organizations already implementing BYOD or planning to do so. In the workplace, BYOD presents an attractive business model to be followed, allowing for greater flexibility and increased productivity among employees. However, there are several security risks that need to be addressed. With personal devices like smart phones and tablets handling corporate data, there is now an enormous burden placed on companies to find a balance between preventing outside intrusion and respecting the privacy of their employees.

SMBs and enterprises alike are responsible for maintaining data security standards and this task can get easily complicated with the introduction of BYOD. To take control of your company’s BYOD policies, consider these associated challenges:

1. BYOD allows personal and business data to intertwine and mix

A big challenge for companies is managing both personal and corporate data on the same device of each employee. This is because the likelihood of employees having the same level of security protecting a company’s internal networks on their personal devices is pretty low. That brings into question potential cyber threats arising from unsecured networks. Logging into a secured company network is one thing but logging into an unsecured public network can be disastrous for both the company and the employee. Furthermore, malicious malware may further corrupt an entire company’s system should an employee accidentally install it onto their device.

2. BYOD increases the risk of data and information leakage

When an organization has a BYOD policy in place, it can open multiple backdoors for hackers to access confidential data, thereby increasing the overall risk of cyber threats against the entire organization. Mobile phones and tablets are more risky than PCs and laptops since they require constant (even daily) updating to patch security bugs. While BOYD has its benefits, companies must realize that personal devices present a weak link to security within the workplace and need special attention.

3. BYOD introduces human error/physical obstruction possibilities

Even if employee devices have password controls, remote lock features, or encryption enabled, there is always the possibility of an employee device being misplaced or stolen. Careless employees might be an IT administrator’s worst nightmare as there is not much they can do to retrieve the device once it has been stolen. One simple but effective measure to prevent outsiders from gaining access to the device is by using a PIN code. However, with hackers becoming increasingly clever at cracking down PIN codes, added protection like a wiping solution may be necessary to eliminate the possibilities of data theft.

4. BYOD makes it harder to keep track of vulnerabilities and updates

Not all mobile devices are created equal. They have different capabilities and operating systems that run different programs and with different levels of security. As more personal devices are added under a BYOD policy, it will become more difficult to keep track of the vulnerabilities and updates of each device. This is because employees are utilizing different applications on their devices and, without proper encryption or other security measures, the risks expand. Worst still, if it is an older device, a different set of unknown or undocumented vulnerabilities may arise, making it all the more dangerous. Security experts may suggest investing in a mobile device management (MDM) platform, but that will require employees to install an agent on their personal devices, which many employees are likely to oppose.

Even before setting up a BYOD policy, a company should research the current security options that are available for them. Single Sign-On (SSO) for example is an effective method for preventing hackers from logging into employee devices. If an organization has one centralized platform to handle identity management, then it becomes easier to handle web application access across the different devices in the network, as employees will log in to this platform only once to have their credentials authenticated and approved. While it is important for thorough BYOD policies and procedures to be put in place to secure employee devices, it’s also vital to educate employees on these basic security practices for protecting their personal devices so security becomes a company-wide effort.