Tag Archives: Norse

Firms Ally to Respond to Data Breaches

More companies than ever realize they’ve been breached, and many more than you might think have begun to put processes in place to respond to breaches.

A survey of 567 U.S. executives conducted by the Ponemon Institute and Experian found that 43% of organizations reported suffering at least one security incident, up from 10% in 2013. And 73% of the companies surveyed have data breach response plans in place, up from just 12% in 2013.

“Compared with last year’s study results, survey findings show encouraging signs that organizations are beginning to better prioritize data breach prevention, but more needs to be done,” says Larry Ponemon, namesake founder of Ponemon Institute.

Major data breaches have become a staple of news headlines. So it can’t be that companies are complacent. The problem seems to be that big organizations just can’t move quickly enough.

Home Depot was blind to intruders plundering customer data even as Target endured exposure and criticism for being similarly victimized just months before, possibly by the same gang.

In our connected world, it’s hard to keep pace. The Ponemon study found 78% of companies do not account for changes in threats or as processes at a company change.

Rise of threat intelligence

That’s where the trend toward correlating data from disparate threat sensors could begin to close the gap. It’s a promising sign that ultra-competitive security companies have begun to collaborate more on sharing and analyzing threat intelligence.

Boulder, Colo.-based security vendor LogRhythm, for instance, has formed an alliance with CrowdStrike, Norse, Symantec, ThreatStream and Webroot to share sensor data and compare notes on traffic that looks suspicious.

LogRhythm supplies a platform for culling and analyzing data from its partner vendors “to help identify threats in our customers’ IT environments more quickly, with fewer false positives and fewer false negatives,” says Matt Winter, LogRhythm’s vice president of corporate and business development.

Since announcing its Threat Intelligence Ecosystem last month, LogRhythm has received “considerable inbound interest from customers and channel partners,” Winter says. “Feedback has been very positive.”

Similar threat intelligence alliances, both formal and informal, are taking shape throughout the tech security world. The business model of Hexis Cyber Solutions, a year-old startup, relies on pooling threat sensor data from several security vendors, including antivirus giant Symantec and social media malware detection firm ZeroFOX.

Hexis applies analytics with the goal of accurately identifying – and automatically removing – clearly malicious programs.

“The state of the art today is a single-point security product triggering alerts on particular things and putting a warning on a screen,” says Chris Fedde, president of Hexis. “We’re all about analyzing alerts and taking action on them. Anything that’s malicious we go ahead and remove.”

In one recent pilot study, Hexis tracked 5,000 computing devices and 13,000 user accounts of a U.S. medical center for 30 days. Hexis intercepted 35,000 incidences of suspicious outside contacts and removed 23 malicious files.

Those malicious files that got inside the medical center’s network included: Dirtjumper, a tool used to conduct denial of service attacks; Tsumani, malware used for spamming and data theft; a remote access tool (RAT) used to take full control of a compromised computer; and an adware Trojan.

There’s a long way to go. But alliances to share threat sensor information, like the ones being pioneered by LogRhythm, Hexis and many other security vendors, seem destined to take root.

Someday in the not too distant future, it may not matter if intruders get inside the network, if robust threat intelligence systems are poised to cut them off from doing damage.

Stunning Patterns Found in the Dark Net

One of the most powerful technologies for spying on cyber criminals lurking in the Dark Net comes from a St. Louis-based startup, Norse Corp.

Founded in 2010 by its chief technology officer, Tommy Stiansen, Norse has assembled a global network, called IPViking, composed of sensors that appear on the Internet as vulnerable computing devices. These “honeypots” appear to be everything from routers and servers, to laptops and mobile devices, to Internet-connected web cams, office equipment and medical devices.

When an intruder tries to take control of a Norse honeypot, Norse grabs the attacker’s IP address and begins an intensive counterintelligence routine. The IP address is fed into web crawlers that scour Dark Net bulletin boards and chat rooms for snippets of discussions tied to that IP address.

Analysts correlate the findings, and then IPViking displays the results on a global map revealing the attacking organization’s name and Internet address, the target’s city and service being attacked and the most popular target countries and origin countries.

Stiansen grew up tinkering with computers on a Norwegian farm, which led him to a career designing air-traffic control and telecom-billing systems. After immigrating to the U.S. in 2004, Stiansen began thinking about a way to gain a real-time, bird’s-eye view of the inner recesses of the Dark Net. The result was IPViking, which now has millions of honeypots dispersed through 167 data centers in 47 countries.

Norse recently completed a major upgrade to IPViking, which has led to some stunning findings. Stiansen explains:

Tommy Stiansen - NorseCorp

3C: Can you tell us about your most recent milestone?

Stiansen: We have managed to do a tenfold (increase) to where we can now apply millions of rules in our appliance.

3C: So more rules allow you to do what?

Stiansen: It allows us to have a lot more threat data and apply a lot more intelligence to a customer’s traffic. We can start applying more dynamic data. Our end goal is to apply full counterintelligence onto traffic. Meaning when we see a traffic flow coming through our appliance we will be able to see the street address, the domain, the email address used to register this domain. We can see who a packet is going to, and the relationship between the sender and receiver, all kinds of counterintelligence behind actual traffic, not just for blocking but for visualization.

3C: That level of detail was not available earlier?

Stiansen: Nope. This is something we’ve pioneered. This is our platform that we built so we can enable this (detailed view) to actually happen.

3C: So what have you discovered?

Stiansen: We’re learning that traffic and attacks coming out of China isn’t really China. It’s actually other nations using China’s infrastructure to do the attacks. It’s not just one country, it’s the top 10 cyber countries out there using other countries’ infrastructure.

3C: So is China getting a bad rap?

Stiansen: Correct.

3C: Who’s responsible? Russia? The U.S.? North Korea?

Stiansen: Everyone.

3C: What else are you seeing?

Stiansen: We’re also seeing how hackers from certain communities are joining together more and more. The hacking world is becoming smaller and smaller. Iranian hackers are working with Turkish hackers. Pakistani and Indian hackers, they’re working together. Indonesia hackers and Iranian hackers are working together.

3C: Odd combinations.

Stiansen: It’s weird to see these mixes because there’s no affiliation, there’s no friendship between the countries on a state level. But the hacker groups are combining together. The borders between hackers have been lifted.

3C: What’s driving them to partner, is it money or ideology?

Stiansen: All of the above. That’s the thing, the people who have similar ideologies find each other on social media and start communicating with each other. And the people with the financial means and shared goals meet each other, that’s the evolution. And when they do that, they become really powerful.

Why Medical Records Are Easy to Hack

If hacked credit and debit card account numbers are like gold in the cyber underground, then stolen healthcare records, containing patient information, are like diamonds.

Private details such as Social Security numbers, birth dates, physical descriptions and patient account numbers historically have been recorded on paper and stashed away in physical file folders and cabinets.

But the Internet all too rapidly has become our hub of commerce and social interaction. And that shift has included a mandate by the federal government to go paperless. The result: Healthcare records now exist in digital form, stored in ways that make them easy to hack.

Infographic: The ripple effect of medical identity theft

The criminal opportunities have not escaped organized cyber crime gangs that are stepping up hacking and stealing.

The Ponenom Institute found that many healthcare organizations get attacked multiple times each year, suffering losses ranging from several thousands of dollars to more than $1 million per incident. The total loss to the industry can be as much as $5.6 billion annually.

“In the dark Internet, there seems to be more activity around the theft of medical information, not just to commit medical identity fraud, but to farm that data for a very long time (for other purposes),” says Larry Ponemon, chairman of Ponemon Institute, which has been conducting medical identity theft research since 2010.

More: Protecting your digital footprint in the post privacy era

Stolen healthcare data can be worth 10 to 50 times more than payment card data in the cyber underground. Electronic health records fetch around $50 per record, according to the FBI. Some experts put that number as high as $500 for some type of medical records.

Credit and debit card numbers, by contrast, can sell for as little as $1 to $2 per account number.

“There’s an enormous online marketplace for these records,” says Kurt Stammberger, senior vice president of marketing at Norse, a security company that monitors malicious and criminal Internet traffic. “It’s like eBay — people bid, and there’s a ‘buy now’ price.’ ”

Costly exposures

Healthcare companies are taking major financial hits—and writing off this exposure as an extraordinary cost of doing business. Details on the pain level for breached companies are surfacing, thanks to data breach disclosure rules under the Healthcare Insurance Portability and Accountability Act (HIPAA.) For instance:

  • WellPoint, a managed-care company, settled a case with the U.S. Department of Health and Human Services for $1.7 million last year. WellPoint allegedly left electronic records of more than 600,000 people accessible over the Internet because of a security weakness.
  • New York and Presbyterian Hospital and Columbia University agreed to a $4.8 million settlement earlier this year after substandard security led to 6,800 patient records becoming accessible by search engines online.
  • Individual consumers are getting harmed financially, as well, to the tune of $12.3 billion last year. Ponemon’s 2013 Survey on Medical Identity Theft found that more than one third of victims paid an average of $18,660 out of pocket to recover from data theft. That included being compelled to reimburse healthcare providers for services supplied to an impersonator.

    Prevention hurdles

    Healthcare experts, privacy advocates and law enforcement officials acknowledge that the fundamental problem is mushrooming and won’t be easy to stabilize.

    Part of the challenge is financial. The Affordable Care Act mandates that providers expend 80% to 85% of premiums on quality care—and that doesn’t include any provisions to prevent services from going to an identity thief.

    According to Forrester Research, only 18% of healthcare organizations’ tech spending budget goes to security, compared with 21% across all sectors. And most providers plan a minimal or zero increase in budget.

    More: 3 steps for figuring out if your business is secure

    “The mission of healthcare providers is to take care of patients, and anything that can interfere with patient care takes a back seat,” says Paul Asadoorian, product-marketing manager at vulnerability management vendor Tenable Network Security. “Security is one of those things.”

    Meanwhile, individual victims of healthcare data theft can be left twisting in the wind.

    The financial services industry maintains a central database where stolen identities can be flagged; the healthcare industry has nothing of that sort. In fact, it even lacks a simple standard for authenticating the identity of anyone who steps forward to request patient care.

    There is no standardized practice for assuring the identity of a patient via an insurance ID card combined with another form of ID, observes Ann Patterson, senior vice president and program director for Medical Identity Fraud Alliance (MIFA). “That poses challenges for healthcare providers, when their main concern is quality of care,” Patterson says.