Tag Archives: Gary Stoller

Security of Medical Devices Needs Care

Medical devices, such as pacemakers, insulin pumps and defibrillators, could become lethal in the hands of a hacker tampering with them remotely. A new study that shows medical devices—and patients—are vulnerable to cyber attacks is a wake-up call for manufacturers, according to a Silicon Valley software company that sponsored the study.

Device manufacturers must change their culture and look at security as an equal to patient safety, says Chris Clark, principal security engineer of strategic initiatives for Mountain View, Calif.-based Synopsys.

The company’s study, which surveyed about 550 employees of device manufacturers and healthcare delivery organizations (HDOs), found that nearly 70% of manufacturers and nearly 60% of HDOs believe an attack on a device built or in use by them is likely to occur during the next 12 months.

The most surprising finding, Clark says, is that about 40% of manufacturers and 45% of HDOs—despite being aware of the risks—take no steps to prevent medical-device attacks.

See also: How to Make Smart Devices More Secure  

There are, however, some positive takeaways, he says. The study, conducted by the IT research organization Ponemon Institute, showed that “a significant percentage” of HDOs are concerned about the risk of insecure medical devices, and many are taking measures to test them for vulnerabilities. That’s a good sign, Clark says, because most study respondents work for small organizations “with limited resources and expertise in this area.”

Security painfully lacking

About 60% of respondents work for organizations with fewer than 1,000 employees, 10% said they had no budget for device security and 40% said their annual budget was less than $500,000.

The study found that 59% of respondents employed by HDOs rated the importance of medical device security as very high relative to all other data and IT security measures deployed. Yet, only 37% of those who work for manufacturers consider such security of very high importance.

A cyber attack on a medical device can manifest in various ways. This tells us the manufacturers still operate under the pretense that security is an HDO issue, and medical device security will be a lower priority for the foreseeable future, Clark says. “This statistic alone should be of great concern and a critical lesson for HDOs who are truly interested in protecting their infrastructure.”

An attacker could take control of a device to administer inappropriate or harmful treatment to a patient, Clark says. The attacker could dispense the wrong dosage of medication via an infusion pump, manipulate the electrical output of a pacemaker, crash or render a device inoperable, access the data stored or transmitted by a device or use it to pivot to other systems or devices within the same network.

Hospitals risk erosion of patient confidence

Each of these scenarios has a physical impact to a device or group of devices, but the real danger is a loss of confidence in the ability of HDOs to deliver quality care and protect patient information, Clark says. “A breach could be catastrophic for a hospital system.”

The Synopsys study found that 80% of respondents who work for medical device manufacturers or HDOs say medical devices are very difficult to secure. The top reasons cited for device vulnerability include accidental coding errors, lack of knowledge/training about secure coding practices and pressure on development teams to meet product deadlines.

Security an afterthought

Securing medical devices also is difficult, Clark says, because security is not a primary consideration early in the design process. “This, along with the need for flexible communications that are often unencrypted or have no security characteristics, create a wide range of challenges.”

Respondents in the Synopsys study were surveyed before the WannaCry ransomware attack in May. The worldwide cyber attack targeted computers running the Microsoft Windows operating system and, within a day, reportedly infected more than 230,000 computers and medical devices in more than 150 countries.

See also: Can Your Health Device Be Hacked?  

Healthcare organizations are “some of the most commonly targeted cyber attack victims, second to only the banking and financial industry,” Clark says. “If you couple that trend with the results of this survey showing how little is being done to protect medical devices, it’s not unreasonable to expect things to get worse before they get better.”

Most stakeholders, though, are “genuinely concerned” about the impact of insecure medical devices—“both in terms of patient safety and risk to their organizations,” Clark says. “What remains to be seen is whether the industry steps up to voluntarily address these challenges or the U.S. Food and Drug Administration takes a more aggressive stance.”

This article originally appeared on ThirdCertainty. It was written by Gary Stoller.

Most Firms Still Lack a Cyber Strategy

Despite awareness that hackers are relentlessly launching cyber attacks, according to a new survey, most companies say they don’t have a clearly defined risk strategy or one that applies to the entire company.

The survey, conducted by the Ponemon Institute and sponsored by RiskVision, polled 641 individuals involved in risk management within their organizations. More than half held executive and management positions.

“There is a big disparity between awareness and implementation of risk management practices,” says Joe Fantuzzi, CEO of RiskVision, a Sunnyvale, CA, enterprise risk intelligence company formerly known as Agiliance.

Eighty-three percent of those surveyed say managing risk is a “significant’ or “very significant” commitment for them, but 76% say their organizations lack a clearly defined risk management strategy or one applicable to the entire enterprise. Only 14% of survey respondents thought their organization’s risk management processes were truly effective.

Other survey findings:

  • More than half of organizations lack a formal budget for enterprise risk management. Organizations with a formal budget have allocated an average of $2.3 million for investment in risk management automation in the next fiscal year.
  • Four of every 10 respondents say “complexity of technologies” that support risk management objectives are a “top barrier.” Roughly the same number says other challenges are an “inability to get started” and difficulty hiring skilled workers.
  • Sixty-three percent of respondents fear a poorly executed risk management program will damage their company’s reputation. Other top concerns are security breaches and business disruption.
  • More than half of respondents say there is little collaboration in managing risk among their finance, operations, compliance, legal and IT departments. They complain of “operating in silos.”
  • Sixty-nine percent of respondents say their organizations don’t rate assets based on how critical they are. The same percentage says their enterprises either don’t have — or the respondents are unsure if they do have — metrics for determining risk intelligence effectiveness.

More respondents (19%) work in financial services than any other industry. Respondents in the public sector were next (11%), followed by healthcare (10%) and industrial/manufacturing (10%).

See also: Urgent Need on ‘Silent’ Cyber Risks  

Reputations at stake

The survey’s most surprising finding, Fantuzzi says, is companies’ concern about their reputations.

“We often get caught up with headlines about breaches, but what stood out the most was the overwhelming majority of organizations that fear long-term brand damage above all else,” he says.

Fantuzzi says data breaches or disruptions to business are still major concerns for organizations. “But if you asked these same organizations just a couple years ago when major brands were making headlines for record-breaking breaches, I would argue that was the top fear of executives and board members across every industry.”

There are “dozens of reasons,” Fantuzzi says, about why three-quarters of organizations lack a comprehensive risk management strategy.

“Critical roadblocks,” he says, include “the complexity of technologies or not knowing how to identify the appropriate solution for your environment, the lack of resources from a financial or personnel perspective or the basics of not knowing where to start when putting together a strategy.”

Automation and awareness improve

The study concludes, however, that organizations “are slowly improving the maturity level of their risk management program.”

Eighteen months ago, only 21% of organizations represented in the study measured their risk appetites in real time using automated business unit decision-making, board-level risk analytics and metrics trending. Today, 32% say these activities are part of their risk management program.

See also: First Line of Defense on Cyber Risk  

The study also concludes that an increasing number of companies are automating risk management programs.

Eighteen months ago, 53% of organizations represented in the study used “top-down, assessment driven, reactive, manual processes, spreadsheets and siloed information.”

Now, 33% have advanced to a bottom-up, process automation, “effective with limited efficiency, centralization and analytics.” Thirty-five percent have advanced to top-down, bottom-up optimization “with real-time enterprise risk intelligence analytics for actionable business decisions.”

This article originally appeared on ThirdCertainty. It was written by Gary Stoller.

2 Novel Defenses to Hacking of Browsers

Cyber attackers continue to exploit a significant security gap found in a familiar tool used pervasively in all company networks: the common web browser.

Mozilla Firefox, Google Chrome, Microsoft Explorer and Apple Safari all use an architecture that makes it relatively easy for an attacker to embed malicious code on an employee’s computer — and then use that infected machine as a foothold to probe deeper into the breached network.

Here’s the good news: There is a growing cottage industry of security vendors developing sophisticated technology specifically to plug this gaping exposure. Browser security vendors first appeared on the scene about 2010; leading innovators include Invincea, Bromium, Spikes Security and Menlo Security.

ThirdCertainty recently visited with two new entrants, Ntrepid and Authentic8. Here is what each brings to the table:

The morphing of browser usage

Authentic8 recently introduced a service called Silo, which isolates web browser malware code from the targeted computer — and the rest of the company network — by routing all employees’ browsing sessions to dedicated servers.

Authentic8 CEO Scott Petry has a long history helping companies keep intruders out of companies’ networks. Petry founded email-filtering company Postini, which was bought by Google and folded into the search giant in 2007.

Petry, who co-founded Authentic8 with another Postini alum, Ramesh Rajagopal, observes that the arrival of sophisticated browser security tools (like Silo) is a reflection of how web browser usage in corporate settings has morphed over the past couple of decades.

In the 1990s, IT departments “would control how you compute, when you compute and what applications you access,” Petry recalls.

Steadily, the web browser “became such a massive focal point or gravity center for how people consumed different web services,” Petry says. “It became extremely compelling for employees to access the web for personal use and for businesses to start taking advantage of the web as a way to perform business functions.”

Amazon pioneered e-commerce, and Google got businesses and consumers accustomed to quickly searching for, and pinpointing, desired information. All of this leveraged the browser’s capacity to execute code on individual computers in response to users’ clicks.

“As soon as that happened, business data that IT departments used to control in their environment was suddenly scattered across third-party websites that they didn’t control,” Petry says. Then social media, including Facebook and Twitter, appeared, and all bets were off.

See also: 3 Steps to Improve Cyber Security

Routing malware to silos

The environment “is now a mess,” Petry says. “If you think about how the browser is used, it’s a one-size-fits-all solution. People use the same browser with a tab opened to get to Facebook, a tab opened to get to Dropbox and a tab opened to get to wherever. It’s a mix of personal use and business activity, and it’s no wonder that the browser is such a point of vulnerability.”

Venture capitalists are funding tech entrepreneurs and are coming forward with new systems to lock down browsers — because, going forward, how we have come to use browsers is not likely to change.

“I’m sure at some point we will move away from a monolithic browser,” Petry says. “It might change over time, but people have been predicting the death of email for 10 or 15 years, and it is still the most common form of business communication. So, no, I don’t think the browser is going anywhere any time soon.”

Authentic8’s Silo product isolates all web code in a secure, remote container in the cloud, giving users a benign display of web content. Nothing reaches the user’s device except pixels.

“The attack surface area is now ours, and that’s where we deal with it,” Petry says.

Virtual sessions

Instead of moving browser sessions into isolated servers, Ntrepid addresses the problem by inserting a virtual browser into every employee’s computer.

Any malicious code arriving via a web browsing session is isolated from the hard drive or memory of the targeted computer. The machine, in essence, is inoculated against browser malware and cannot be used by the attacker as a beachhead to go deeper into the company’s network.

Web browsers, by design, execute code over which network administrators have zero control. This code execution enables all of the cool, interactive things we can do on our browsers.

Trouble is, criminal hackers can all too easily slip malware into this mix. Like Authentic8’s isolated servers, Ntrepid’s virtual browsers protect the organization from “all web-based attacks, including web-delivered malware, watering hole attacks, spear phishing, passive information leakage and drive-by downloads,” according to Ntrepid.

Ntrepid’s technology, called Passages, enables employees to “safely browse anywhere,” providing them “the freedom to surf online without the risk of infecting their machines or compromising valuable enterprise data.”

To activate Passages, a user simply clicks on it on the desktop instead of Internet Explorer, Firefox or another conventional browser.

See also: How to Measure Data Breach Costs

Any malware encountered on a website is “trapped” inside Passages’ virtual machine and can’t infect anything else on a user’s computer, says Lance Cottrell, Ntrepid’s chief scientist. The malware is destroyed when the browser session is over.

While, for the moment, browser security technology is being marketed to small- and medium-sized businesses and large enterprises, Ntrepid and Authentic8 are both developing marketing efforts to serve individual consumers.

“We’re starting off on enterprises — our early adopters — but they are always saying, ‘What about my wife, what about my kids, can I get this at home?’” Cottrell says.

Cognizant of a massive data breach last year at the U.S. Office of Personnel Management — when hackers accessed personal information of more than 21.5 million employees, family members and others — Ntrepid is accelerating its marketing efforts to consumers, Cottrell says.

ThirdCertainty’s Gary Stoller contributed to this report.

More stories about browser security:
Spikes Security isolates malware, keeps it from hijacking Web browsers
More organizations find security awareness training is becoming a vital security tool
Managed security services help SMBs take aim at security threats

Spear Phishing Attacks Increase

Spear phishers continue to pierce even well-defended networks, causing grave financial wounds.

Spear phishers lure a specific individual to click on a viral email attachment or to navigate to a corrupted Web page. Malicious code typically gets embedded on the victim’s computing device, giving control to the attacker.

A recent survey of 300 IT decision-makers in the U.S. and the U.K.—commissioned by threat-protection solutions provider Cloudmark—found that a spear-phishing attack penetrated the security defenses of more than 84% of respondents’ organizations.

Free resource: Planning ahead to reduce breach expenses

Spear phishing continues to turn up time and again as the trigger to massive network breaches, including widely publicized attacks on JPMorgan Chase., eBay, Target, Anthem, Sony Pictures and the U.S. Office of Personnel Management.

“Criminals have achieved high success rates with spear-phishing attempts, and that success is breeding even more attempted attacks,” says Angela Knox, Cloudmark’s senior director of engineering and threat research.

Angela Knox

Respondents to Cloudmark’s survey said that, on average, their organizations lost more than $1.6 million from spear-phishing attacks during the 12 months before the survey.

Spear phishers install malware, seek privileged access accounts and scour breached networks for confidential business plans, information about current negotiations and other valuable data. And the attackers are in a position to manipulate, disrupt or destroy systems.

Related video: CEO fraud caper nets $450,000

Attacks on banks, credit unions and professional services firms that help conduct financial transactions often focus on persuading employees to wire money to the phishers’ accounts.

“Even if the money can be recovered, it takes time and effort to recover it,” Knox says. “In one high-profile incident, a company lost $46.7 million due to email spoofing.”

Resist oversharing

One reason spear phishing persists is because people reveal a wealth of personal and behavioral data on the Internet. Attackers tap this information to profile victims and create email and social media messages crafted to appear to come from a trusted source—in a context that puts the targeted victim at ease.

The end game: Get the person to open a viral email attachment or click to a malicious Web page.

“Everyone is now a target, and users can no longer depend on spelling mistakes or random scams,” says Chester Wisniewski, senior security adviser at antimalware vendor Sophos.

Peter Cassidy, secretary general of the Anti-Phishing Working Group, an international coalition fighting cyber crime, says spear phishers in recent years have gone to greater depths in focus and planning.

Peter Cassidy, Anti-Phishing Working Group secretary general
Peter Cassidy

“These days, it’s not uncommon to see an attack that targets specific personalities for their access within an enterprise and loads a malware payload to execute an exploit that will open a pathway the attackers are waiting for—and will use to gain access to data they prize,” Cassidy says. “Talk about orchestration! Stravinsky and these guys would have a lot to talk about.”

Employees part of solution

A primary defense is to continually train employees to be vigilant, and a cottage industry of training services and technologies has arisen in recent years to assist companies of all sizes. But even trained employees remain susceptible to sophisticated trickery.

Nearly 80% of organizations surveyed by Cloudmark reported using staff training to prevent attacks. Of organizations that test their employees’ responses to spear-phishing attacks, only 3% said that all employees passed. Respondents estimated that 16% of staff members failed their organizations’ most recent spear-phishing tests.

“Humans are flawed,” Wisniewski says. “You can never stop spear phishing entirely,” because “it is not a technical problem that can be solved.”

It’s human nature for employees who spot something wrong or who believe they may have been tricked to hesitate reporting the incident. Yet quick reporting is a key to remediation. “Accidents happen, but detection and remediation are more successful the less time the criminal has to take advantage of your errors,” Wisniewski says.


This post was written by Gary Stoller.