Update on CMMC

/0 Comments/in /by

 

Cybersecurity Maturity Model Certification (CMMC)

The CMMC space is still evolving. All definitive guidance is solely from Office of the Under Secretary of Defense for Acquisition and Sustainment. The CMMC Accreditation Body has not fully established the C3PAO or certification processes. LP3 nor others can claim to provide CMMC certifications nor do we or others can promise certifications.

LEVERAGE YOUR NIST 800-171 COMPLIANCE FOR CMMC CERTIFICATION ROADMAP

Since CMMC version 1 has been released and is based on NIST 800-171, LP3 will do a fixed cost 800-171 assessment to include a System Security Plan (SSP) and a Plan of Actions & Milestones (POA&M) with a roadmap based on CMMC version 1 on the estimated level of effort to achieve compliance.

Be assured without the CMMC certification as part of your acquisition record (similar to DUNS and CAGE#) you will NOT be qualified to bid or receive Government Contracts as a Prime or a Sub. Let LP3 make the unknown known!

 

Why CMMC – Under Secretary of Defense Ellen Lord

Statement from Under Secretary of Defense Ellen Lord:

“Since I introduced the Cybersecurity Maturity Model Certification model last year, I have consistently stressed the importance of communicating and engaging extensively with industry, academia, military services, the Hill and the public to hear their concerns and suggestions. The purpose of this communication was, and still is, to ensure everyone fully understands the intent, process and requirements of CMMC to fight the very real threats that drive us to require rigorous cybersecurity.

Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.  The requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners. To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department.  At this time, only training materials or presentations provided by the Department will reflect our official position with respect to the CMMC program. I have also reached out to the presidents of the PSC, AIA and NDIA industry associations to make them aware as well, and they remain connected with my CMMC team.

Moving forward I am confident we will soon sign a Memorandum of Understanding (MOU) with the Cybersecurity Maturity Model Certification Accreditation Body on the accreditation, certification and approval processes relating to the Defense Supply Chain. When that happens we will make an announcement.”

 

“The theft of intellectual property and sensitive information undermines our nation’s defense posture and economy.  Global costs last year are estimated at $600 billion, with an average cost per American of $4,000.” Katie Arrington Chief of Information Security for Acquisition, Department of Defense

DoD Contractors

(Organizations Seeking Certification – OSC)

There are more than 300,000 vendors in the supply chain to the DoD, each of which will require assessment.

Organizations Seeking Certification include:

  • Prime Contractors
  • Subcontractors
  • In short, every organization that sells or services the Department of Defense

Facts.

  • Prime contractors and subcontractors must be certified under CMMC standards to any one of five levels.  The highest levels are reserved for organizations exposed to the most sensitive information.
  • The implementation rollout will begin 1 September 2020, and take up to 5 years.
  • If a contract requires CMMC certification it will be listed in the Request For Proposal (RFP) Sections C and L.
  • The CMMC-AB will provide the standard for applying the model and certify trainers who will train assessors.
  • The CMMC-AB will provide an online marketplace where organizations can find an available, qualified C3PAO.
  • A certification will last 3 years, provided there are no incidents or other triggers inducing a second look at an organization.

But wait. We are just getting started.

Come back here often for detail and sign up below for alerts and emails.

There is much to come, we will provide information as we build it.

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) (LINK)

https://www.acq.osd.mil/cmmc/index.html

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

 

  • The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
  • The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
  • The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

See The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))   site for more details.

The CMMC contains five levels ranging from basic hygiene controls to state-of-the-art controls, but unlike NIST 800-171, the CMMC will not contain a self-assessment component.

Every organization that plans to conduct business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.

 

 

 

Glossary

Accreditation – The process of issuing Licenses and Certificates.

Accreditation Body Board of Directors – The board of directors is the governing body of a nonprofit. Individuals who sit on the board are responsible for overseeing the organization’s activities. Directors meet periodically to discuss and vote on the affairs of the organization. The board of directors, as a governing body, should focus on the organization’s mission, strategy, and goals as defined in the bylaws.

Advisory Councils – Advisory Councils operate at the discretion of, but independently from the board, to inform and advise the board from the perspective of the Advisory Council’s membership. The advisory council’s leaders participate in the board as a non-voting member.

Affiliates – Business concerns, organizations, or individuals that control each other or that are controlled by a common third party. Control may consist of shared management or ownership; common use of facilities, equipment, and employees; or family interest.

Assessment – Formal process of assessing the implementation and reliable use of issuer controls using various methods of assessment (e.g., interviews, document reviews, observations) that support the assertion that an issuer is reliably meeting the requirements of a standard.  In the context of CMMC, Assessments are performed against the requirements set forth in the CMMC for the OSC’s desired CMMC Level.  Source: NIST SP 800-79-2 (adapted)

Assessor – A person who has successfully completed the background, training, and examination requirements as outlined by the CMMC-AB and to whom a License has been issued.  Assessors are not CMMC-AB employees.

Asset Owner – A person or organizational unit (internal or external to the organization) with primary responsibility for the viability, productivity, security, and resilience of an organizational asset. For example, the accounts payable department is the owner of the vendor database.  Source: RMM

Association – The process of linking an Assessor’s License Number with the License Number of a C3PAO.

Audit – Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.  Source: NIST SP 800-32

Certified 3rd Party Assessment Organization (“C3PAO”) – An Entity with which at least two Assessors are Associated and to which a License has been issued.

Certificate – A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC Level against which the OSC has been successfully assessed.

Certification – The process of receiving a Certificate.

CMMC – The set of standards initially defined by the DoD against which an OSC is to be Assessed.

CMMC Certified Organization – An Organization whose cybersecurity program has received a CMMC Certificate from the CMMC-AB.

Compliance – Verification that the planned cybersecurity of the system is being properly and effectively implemented and operated, usually through the use of assessments / audits.  Source: CMMC

Control – The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk. (Note: controls include any process, policy, device, practice, or other actions which modify risk.) Source: NISTIR 8053 (adapted)

CUI (Controlled Unclassified Information) – Information that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.   Source: E.O. 13556 (adapted)

Cybersecurity – Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.   Source: NSPD-54/HSPD-23

Defense Supply Chain (“DSC”) – The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. DSC was substituted for Defense Industrial Base to reflect more specifically the base subject to CMMC assessments.

Digital Signature – An electronic file which is used to authenticate other electronic files and to encrypt files at rest and/or in motion.

Dispute – A formal process managed by the CMMC-AB through which an Assessor and an OSC can seek resolution of a disagreement over the Assessment results.

Dispute Adjudicator – A CMMC-AB employee who is responsible for reviewing and resolving a Dispute.

Educator – CMMC-AB employees who are tasked with educating and testing prospective and current Trainers.

Entity – A legal non-person Organization duly created and maintained under the laws of one or more jurisdiction, including without limitation corporations, limited liability partnerships, limited liability companies, and governmental agencies but excluding unincorporated Organizations such as, without limitation, partnerships.

FCI (Federal Contract Information) – Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.  Source: 48 CFR § 52.204-21

License – A document issued to an Assessor, C3PAO, or Trainer, as appropriate, entitling them to perform their duties with respect to the CMMC-AB as further outlined below.

License Number – A unique identified linked to each Assessor, C3PAO, and Trainer.

Organization – An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements). Source: CMMC

Organization Seeking Certification (OSC) – The Organization that is going through the CMMC assessment process to receive a level of Certification for a given environment.  Source: CMMC

Record – A physical document, electronic file, entry in an electronic database, or the like.

Trainer – A person Licensed to provide Training to prospective and current Assessors.  The Trainers are not CMMC-AB employees.

 

Cybersecurity Maturity Model Certification Version 1 (LINK to PDF)

5 Benefits of External and Internal Penetration Testing

/0 Comments/in /by

As network technologies and application features evolve at an ever-increasing rate, so too have the associated security vulnerabilities. But have our efforts to identify these vulnerabilities kept pace? Has security external and internal penetration testing evolved since its origin in the seventies? How have we changed our security testing approach, tools and methodology to meet the challenges of the changing threat landscape? To answer those questions, we’ll need to understand penetration testing.

What is penetration testing?

Penetration testing is different from vulnerability scanning. A vulnerability scan is used to identify, rank, and report vulnerabilities while a penetration test is used to exploit vulnerabilities or otherwise defeat the security controls and features of a system. Penetration testing is an authorized and proactive effort to assess the security of an IT infrastructure by carefully running tests to exploit vulnerabilities of the system, comprises in an operating system, misconfigurations, service errors, and even unsafe end-user behaviors.  These evaluations help confirm the effectiveness of defensive mechanisms and adherence of end-users to security procedures. There are typically two types, External and Internal.

Penetration testing is conducted externally and attempts to exploit critical vulnerabilities that could be exploited by an adversary to remotely compromise client networks disrupting business operations, destroying data, or stealing sensitive information.

An internal penetration test always assumes that you have internal network access. It can provide valuable insight if you are worried that a rogue employee could try to access data that they’re not authorized to view. Internal penetration tests can also tell you how much damage an intruder could do if one of your employees mistakenly opens an attachment on a phishing email, or how far a visitor to your site could get by plugging their laptop into the local network.

Finally it is important to note that Internal Penetration testing is different from Internal Vulnerability Scanning.  An Internal Vulnerability Scan, sometimes referred to as a Credentialed Scan,  is used to identify, rank, and report vulnerabilities while a penetration test is used to exploit vulnerabilities or otherwise defeat the security controls and features of a system. This will provide additional analysis of business risk and can be used to assist risk mitigation investment decisions. Using both approaches provides a better analysis of business risk and can be used to make better risk mitigation investment decision. Internal Vulnerability Scanning will be covered a future post, so stay tuned!

Who needs Penetration Testing?

The goal of professional or amateur hackers is to steal information from your corporation. They may be after money or simply seek to sabotage your company. If you think about it, one single incident of system downtime can make a huge impact on your company’s reputation. Your business partners or customers may think twice about the security of their relationship with your company.

You may think a Windows® firewall and regularly updating your password is enough to ensure your security. Sadly that is not enough. Highly skilled hackers can get into your system easily and get all necessary information from you without you even knowing it.

Any company, corporation, or organization that relies on IT should have their system security tested regularly and update their security features to prevent the negative effect of system downtime and illegal hacking.

Penetration Testing – The Benefits

There are numerous benefits of employing penetration testing.

1. Detect and arrange security threats

A penetration test (pen test) estimates the ability of an organization to defend its applications, networks, users and endpoints from internal and external attempts to dodge its security controls to achieve privileged or unapproved access to protected assets. Pen test results confirm the threat posed by particular security vulnerabilities or faulty processes, allowing IT management and security experts to arrange remediation efforts. Organizations can more efficiently anticipate emergent security threats and avoid unauthorized access to crucial information and critical systems through executing regular and complete penetration testing.

2. Meet monitoring necessities and evade penalties

IT departments address the overall auditing/compliance facets of procedures such as HIPAA, SARBANES – OXLEY, and GLBA, and report testing necessities recognized in the federal NIST/FISMA and PCI-DSS commands. The complete reports produced by the penetration tests can assist organizations in evading substantial penalties for non-compliance and let them illustrate ongoing due diligence into assessors by maintaining required security controls to auditors.

3. Circumvent the rate of network downtime

Recuperating from a security flaw is expensive. Recuperation may include IT remediation efforts, retention programs, and customer protection, legal activities, reduced revenues, dropped employee output and discouraged trade associates. Penetration testing supports an organization to evade these financial setbacks by proactively detecting and addressing threats before security breaches or attacks take place.

4. Protect customer loyalty and company image

Even a single occurrence of compromised customer data can destroy a company’s brand and negatively impact its bottom line. Penetration testing helps an organization avoid data incidents that may put the company’s reputation and reliability at stake.

5. Service disturbances and Security breaches are expensive

Security faults and any associated disruptions in the performance of applications or services may cause debilitating financial harm, damage an organization’s reputation, grind down customer loyalties, generate negative press, and incur unanticipated fines and penalties. Frequent employment of penetration testing avoids these expenses by the organization.

Penetration testing helps your organization avoid IT infrastructure invasions. It is better for your business to proactively maintain its security than to face extreme losses, both to its brand equity and to its financial stability.

Penetration testing should be carried out whenever there is a change in the network infrastructure by highly experienced experts who will scrutinize internet connected systems for any weakness or disclosure of information which could be used by an attacker to compromise the confidentiality, availability or integrity of your network.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on penetration testing for your IT environment.

Jeff Grim is CTO/CISO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Impact of Cybersecurity Maturity Model Certification (CMMC) on DoD Contractors

/0 Comments/in /by

Overview

The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

  • The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
  • The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
  • The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

Basic Facts about CMMC and how it will affect your Business

Taken from FAQ posted at: https://www.acq.osd.mil/cmmc/faq.html

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”

New Framework and Assessment process based on Controlled Unclassified Information (CUI). CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax

Resources, including online training to better understand CUI can be found on National Archives’ website at https://www.archives.gov/cui/training.html

The DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.

The initial implementation of the CMMC will only be within the DoD.

The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.

Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

The certification cost has not yet been determined. The cost, and associated assessment will likely scale with the level requested.

There is no Self-certification

We expect that there will be a number of companies providing 3rd party CMMC assessment and certification. An independent 3rd party assessment organization will normally perform the assessment. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).

Your certification level will be made public, however details regarding specific findings will not be publicly accessible. The DoD will see your certification level.

The duration of a certification is still under consideration.

If my organization is certified CMMC and your company is compromised, you will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be recertified.

If your organization cannot afford to be certified, it does that mean your organization can no longer work on DOD contracts. The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.

**Even if your organization does not handle Controlled Unclassified Information (CUI), all companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.

All Subcontractors currently on a DoD Contract, will need to obtain CMMC.

The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ unclassified networks. CMMC audits by third party assessment organizations will not be applied to classified systems or environments. The Defense Counterintelligence and Security Agency (DCSA) will include CMMC assessments as part of their holistic security rating score.

If you would like more information, contact LP3. We will be glad to help you make an informed decision about the impact that DFARS has on your business or organization.  For more information about our DFARS / CMMC  compliance services,  please visit our website.

Jeff Grim is CTO/CISO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Phishing Trips

Phishing Trips: Is Your Company Being Taken on One?

/0 Comments/in /by

Back in the good old days when vacation time came around, the expression was “Gone Fishing.”  Boy, how times have changed in this new age of technology and cyber hacking!

Phishing has nothing to do with the sport of fishing– it’s a critical element of Internet Technology. Phishing is a process where nefarious hackers attempt to steal your passwords with a purpose of fooling people into downloading malware.

Phishing is a process where nefarious hackers attempt to steal your passwords with a purpose of fooling people into downloading malware.

Phishing has become a critical problem for businesses of all sizes. In fact, recent statistics show that  93 percent of phishing emails now deliver some type of ransomware, malware or other type of cyber attack. The worst part of these phishing attempts is that people are easily baited and don’t even realize they’ve been had until the system is infected.

Cyber security experts suggest that phishing attacks come in all shapes and sizes, but usually target specific individuals within an organization, especially those who have access to sensitive corporate data.

Just recently, Verizon sent out a warning stating that as few as 10 phishing emails can have up to a 90-percent chance of reeling in a sucker. The problem is that most targets are not hi-tech gurus. They’re professionals in areas such as manufacturing, retail, real estate or other industries, but they’re unaware of the new bait and switch tactics taking place over the web. These folks often think they’re opening a trusted news channel, dating site or generic puppy training video when the boss isn’t looking – and what happens? Bang! They let malware, ransomware or a virus in.

What Do You Do?

So what should you and your staff be looking out for to stay safe? Here is a list of the most common phishing techniques:

1. Mass-Market Emails

The most common method of attack comes by tricking someone into thinking that email comes from a trusted source. The message and header seems familiar enough. It could say, “UPS is trying to deliver a package.” Or, “Hi remember me?” Or, “I’ve been trying to reach you.” I even got one recently that said, “Is this you?” Some attacks specifically target organizations and individuals while others rely on methods other than email to get inside.

2. Spear Phishing Is even More Pointed – Targeting You Personally

In general, phishing is about casting a wide net. Spear-phishing, like those in the recent Russian attacks in our election process, goes after specific targets. It makes sense to the cyber criminals: better to go after a select few organizations with money, resources and data than just sending out random emails hoping for a big catch. An attacker may target a government agency, or official, to steal state secrets or secretly control a state or national government official. They often succeed because the attackers carefully tailor information specific to the recipient or include a file name the target is interested in. One that recently worked contained a malicious Visual Basic for Applications (VBA) macro that contained malware called Seduploader.

3. Whaling: Phishing for The Biggest Catches

When the targets are an organization’s top executives it’s called “whaling.”The targets are: data, employee information, and cash that an executive has direct control over. Naturally, information stolen from an executive will be of higher value than that stolen from a regular employee.

This requires a little more work because the hacker needs to know who the intended victim communicates with and what the communication entails – customer issues, legal docs, or even privileged information from the C-suite. Attackers start innocently enough, using social engineering to gather specific information about the victim and the company before launching their harpoons.

4. Heard of BEC, Business Email Compromise? That’s A Hacker Pretending to Be The CEO

BEC scams and CEO email fraud targets key individuals, especially in the organization’s finance and accounting departments. By doing so, it seems an order is coming right from the top – tricking targets into initiating money transfers to unauthorized accounts. By monitoring an executive’s email activity for a period of time to learn about company processes and procedures, the attack email is made to look like it has come from a targeted executive’s account to a regular recipient. Looking important and urgent, it directs a wire transfer to the attacker’s bank account. The haul? Last year BEC scams accounted for more than $4.5 billion in actual and attempted losses.

5. Sending In The Clones

Clone emails are another clever way to fool employees and they work just as well as the originals. The body of the message looks exactly like a previous message, the only difference is the message has been traded for a malicious one. It may say “need to resend the original”  or “this is an update” to explain why the victim was receiving the message again. The hope is familiarity will soothe the receiver into opening the communication without thinking too much about it. Spearphishers even clone websites with fake domains to make the scam more difficult to detect.

6. Over The Phone Phishing Becomes Vishing

Vishing is “voice phishing” using a phone. Typically, the target gets a voice message disguised as a communication from a financial institution asking you to call a specific number and enter your account or PIN number to continue. The voice on the other end belongs to a hacker via a voice-over-IP service. Apple tech support communications are a favorite, using the fear of being hacked to do actual hacking.

7. Spreading Poisonous Messages Is Called Snowshoeing

It’s hard to keep up with the terminology, much less the forms of attack. “Snowshoeing” or “hit-and-run” spam is pushing out messages via multiple domains and IP addresses, so each address has a low volume of messages to avoid spam filtering.

“Hailstorm”, another barrage campaign, works like snowshoeing except with a short time span seeking to outsmart anti-spam tools that filter and block future messages with mass volume in limited time spans. But, usually by then, the hackers are long gone.

Learn to Recognize Phishing Lures

Most ordinary users are not good at recognizing a phishing attack while a savvy one may be able to. But that risk is too great to just leave it hanging out there. Because of that, do a risk assessment gap analysis to make it easier for users to recognize the seriousness of malicious messages. Simple defenses like spam filters are not enough; your organization should consider the implementation of an internal awareness campaign and train your staff to recognize different types of attacks to strengthen security defenses.

One Final Word

Be careful. That email or attachment may look like it comes from a trusted source, but who you may see as a pal, may only see you as chum.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

For more information about our Security Awareness Assessment and Training Services, please visit our website.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Top 5 Success Factors for Cybersecurity Management Programs

/0 Comments/in /by

It is a common scenario: an employee is terminated from his job and while being escorted from the facilities he tries to take a backup of his work, or worse, of confidential corporate information. As a leader of the cyber security team it is your job to train, handle and check any type of cyber theft issue, including this one.  And if you have planned well, you deal efficiently with cybersecurity management by ensuring your employee contract legally protects the company and allows it to confiscate backup media from employees leaving the building.

But what happens if this issue is not accounted for?

The the company could face serious threats and even possible loss of proprietary information.

This scenario is often a very tricky situation for companies that are not prepared with a cybersecurity management program (CMP). An employee could very well walk out of the facility with a backup of sensitive information, possibly  even the latest product designs or any other information critical to the growth or the financials of the organization.  It is a problem that many companies face and the solution is to implement a CMP to protect the company against cyber crimes of this nature.

Cybersecurity Management

If you fail to manage your cybersecurity issues, your security measures will fail and your organization will be compromised. With phishing, ransomware and so many other types of cybercrime out there, it is critical that businesses plan, create and execute effective cybersecurity management programs that work. When these programs are implemented and consistently managed, the organization’s sensitive information will be protected.  We must always keep in mind that an intruder only needs one cybersecurity weakness to compromise the organization. It is your team’s responsibility to properly manage all the cyber security controls and settings of your business so situations like these do not occur.

We cannot underestimate the need to develop and implement an effective cybersecurity management program to encompass all possible weaknesses. But what is the solution? A good CMP starts by keeping in mind these five key points:

  1. Identify and get support from the senior leaders of all departments.
  2. Develop an organization-wide cybersecurity management program and submit it for endorsement by the CEO.
  3. Create a cybersecurity management work plan to implement the policy.
  4. Mandate a document review process to support ongoing cybersecurity policy and management.
  5.  Complete the basic cybersecurity framework first.

Final Thoughts

Cyber threats are a real issue and organizations of all sizes need to prepare for cyber attacks, both internal and external. It’s a matter of setting up all-encompassing cyber threat policies and then testing them against all possible scenarios. The principle behind effective cyber security management is to be prepared for all situations, including internal cyber threats.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Don’t Be An Accomplice To Cyber Criminals

/0 Comments/in /by

Vulnerabilities, Phishing, Internet Privacy only relate to big business, right?

Well, we would have to say that you’re totally wrong. Cyber security is a problem for everyone, from the end user at home to the large organization. It is definitely something we all need to be concerned with. Don’t believe me! Well maybe you will after I show you how vulnerable most home computers, mobile phones, tablets, and any other device that connects to the Internet really are.

Yes, we all do the basics when it comes to cyber security. We usually run an antivirus program on our devices, but most of us have overlooked the internet router, a prime target for cyber criminals. Yes, the router is a way in. Unfortunately, you and your Internet provider probably don’t even think about it. Most people simply set up their router once and then forget about it. You never, ever think of the router, unless you begin to have internet problems.

 VPNFilter

The latest malware, known as VPNFilter is targeting the lowly router – and it has already infected over half a million of them.

What is the purpose? Having access to all of these routers gives the hacker a huge botnet of connected devices he can control. A simple command could result in a flash memory deletion causing the router to become completely useless and prevent you from getting on the internet again – until you buy a new router that is.

But let’s say he doesn’t want to block you from the internet. Instead, he wants to spy on your activity, get access to your passwords, credit card numbers, etc. That is what he’s really after. And once the router is infected with this virus, it can be used for almost anything.

Making The Small Internet User An Accomplice

Of course, the biggest danger is making the small user an accomplice in a much larger cyber attack. The biggest danger is that a cyber attacker can use these large groups of connected devices to flood large corporate websites, bringing them offline. In fact, there was a case where the Mirai botnet managed to bring down entire internet services in several states of the US for most of the day. Router-based attackes can be so damaging that the FBI has started investigating – managing to shut down a server using the same VPNFilter malware that cyber criminals use to send commands to infected devices.

What Can We Do About This Cyber Attack?

Unfortunately, there is no real way to tell if your router has been infected. So far Linksys, Mikro Tik, TP-Link and Netgear routers have been hit by malware. But whether your brand of router is one of these or not, it is a good idea for you to take a few cyber security precautions.

Here’s what you can do:

Restart and Update Firmware

Restart the router. Although this will only temporarily disconnect from an infected network, it will give you enough time to update your firmware. You can find out how to update your firmware by going to the manufacturer’s website and going to the downloads section. By updating the firmware you apply the latest manufacturer fixes which secure it from the VPNFilter malware.

You will need your router’s serial number to get the proper firmware. Check on the underside or back side of your router for the make and serial number. Then you log into the administrator panel through your web browser and install the update. Look for the web address to the administrator panel in the instructions packaged with the router.

Normally, you should update router firmware every few months or so since routers do not perform an auto-update.

Change the Default Password

Most routers come with a default password or no password at all. The manufacturer does this on purpose because it helps consumers set up the router easily. Unfortunately, hackers also know the default passwords. Look up the instructions to find out how to change the password via the website offered by the manufacturer.

Turn Off Remote Access

Many routers allow you to access the administrative panel remotely via the internet. This is nice when you first set up the router but you want to turn it off so cyber criminals cannot access and they can also change the settings, especially if you are using the default password that comes with the router.

Do a Factory Reset

If you notice that the router is acting a little wonky and you have tried all of the above tips, do a factory to reconfigure everything from scratch. It is a hassle and it may not get rid of persistent malware but it will restore your device to its original setup allowing you to make necessary changes.

Bottom Line

If you think cyber security does not affect you simply because you only use the internet at home, you would be wrong. Cyber security is something all Americans need to be on the lookout for. Just as you are alert to criminal activity in your neighborhood, you also need to watch out for cyber criminals who may be using your lowly router to build a powerful interconnected network and create havoc on the web.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

 

Chief Information Security Officers (CISO) – The First Line of Defense for Strong Cyber Resilience

/0 Comments/in /by

The C-suite has a new and immensely important addition. Now, sitting right next to the CEO’s, COO’s and CFO’s is a C-level executive. The Chief Information Security Officer or CISO’s mission  is to deal with cyber security conditions. The corporate position is becoming vital in the corporate world because we face an age of Ransomware, Malware and other vulnerabilities that proliferate on the net.

What Is The Situation?

Criminals and other cyber thieves don’t need blow torches and nitro to pull off a heist anymore. They need and have an arsenal of cyber burglary tools to do it for them.

How Do They Get in So Easily?

People are the weakest link in your chain of cyber threat defense. As such, CISOs know they need to keep their eyes and attention on employees who may inadvertently or intentionally open the door to allow access by unauthorized users.

The big questions that must be asked are: do your employees have the skills to recognize and combat cyber threats and cybersecurity issues? Are you making sure they have the training and the knowledge to stand up to the ever inventive cyber criminals? And are you – as a company – seeking out and securing the services of people with the skills and talents needed to be a line of defense?

A recent research study by ESG and ISSA revealed that 96% said that professionals in cyber-security need to keep their skills on high alert because cyber-foes spend all their time finding new and inventive ways to breach your security.

Unfortunately, even knowing that, organizations repeatedly fall behind when it comes to training. That can be because of perceived high costs, or too little time or other excuses. But as a reminder, the costs of putting things back together and salvaging your company’s reputation will be far greater.

Cyber professionals stated unequivocally that they want more resources to help in the fight. Undergraduate programs don’t teach much of that. For instance, a 2017 study reported that not one of the top 10 computer science programs in the U.S. require it and less that 25% of cyber threat and security professionals believe that their education gave them the skills needed in the real world, with real threats and real professionals working against them.

Because of that, CISO’s may have to do the training themselves or create in-house programs that will do so. And that training needs to include non-tech employees as they are often the portal in by downloading malicious files, opening dangerous links or becoming the victim of a Phishing trip.

So, What to Do?

Make education tools available to all your staff. Create simulations and teach your staff how to react. Use all opportunities to incentivize the use and learning of new skills.

These can and should include:

  • Fundamental security online or on-demand courses.
  • Programs administered by accredited resources.
  • Vendor training so your suppliers know a safe and secure way into your systems.
  • Cyber-security classes, events and simulations. Training labs virtual or actual.

A Word about Virtual Training Labs

They are cost-effective solutions for both new and existing employees teaching safeguards to cyber vulnerability and should have the support of all upper management. Cyber-security should dominate the first days of an employees training and keep being reinforced and updated as new challenges arise.

In the end, it’s more about people than it is about technology, so people are where your defense program must begin.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

 

 

Credential Stuffing – The Latest and Greatest Way Cyber Crooks May Be Targeting You

/0 Comments/in /by

You have to hand it to cyber-criminals. They keep finding new and innovative ways to do the same old thing: rob you.

And what they are after is the coin of the realm in today’s worl: Data. It’s like a bucket of gold with a “Take Me” sign on it. And worst of all, you may not even know it’s happening.

Credential Stuffing. What Is It?

It’s a relatively new form of cyber attack where hackers assault a targeted website with stolen logins, and in doing so, they attempt to gain access to online accounts. This gives them access to your Cloud Data, your databases, financial info and more.

Worse, this new cyber infiltration even has the big boys heads spinning. A perfect example is Yahoo. They had two of the largest credential thefts in history. And you know that if a sophisticated company like Yahoo can be hacked, you can easily be hacked.

However, you can protect yourself, and in some cases, do it better than the big guys. So think carefully about what you can learn here. Credential Stuffing is something you cannot afford to overlook and you really must look out for it.

How It Works

It’s not all that complicated to understand. Hackers enter a huge number of emails, passwords and usernames and barrage a targeted website until one or some of them stick. On a massive level it can be akin to the old, try and try again, until you get in. Once they do gain access they are free to roam around an existing account until they find what they are looking for.

Can This Infiltration Method Apply to You?

It could. Credential stuffing is now the number one method of cyber attack. A Verizon Data Breach Investigations Report of 2017 revealed a frightening statistic: 81% of surveyed organizations had hacker related cyber breaches where an unauthorized person was able to break in using stolen or weak and easily accessed passwords. This percentage is a huge increase from their 2016 report that showed only 18% had some type of data breach infiltration. Those percentages look bad but the numbers they represent are even worse. Three billion records were leaked on the dark web last year. In fact, when we have gotten a chance to talk to the Cyber security pros, they admit that credential stuffing has quickly outpaced other methods and has become their number one priority.

How Do They Do It?

There are about 4 common ways cyber thieves and hackers get their hands on your info.

  1. They steal your databases. That’s the easiest thing for them to do. Usernames and passwords are readily available on the dark web. If you are unfamiliar with the dark web it is the place where anything from illegal drugs to hit men can be found. Studies have shown a veritable supermarket of passwords and logins for sale there. They are placed there for sale in bulk after they are stolen from companies like Dropbox. Hackers or other nefarious agents can buy, sell and trade these emails that offer access to millions of accounts that they can use in their planned attack.
  2. Leaks. Leaks happen more often than you may think. For instance, they might occur when data is transferred either internally or externally to a data center. These leaks are normally accidental and unintentional but they are a prime source of names and password theft.
  3. Going Phishing. Spamming targets with emails that connect to phishing links are not as common, but it happens enough to make it worth your attention. When a phisherman lands you, he can get plain text usernames and logins which are much easier to hack and use them to get access to your data.
  4. Botnets Are Another Way of Infiltration. Botnets and browser injectors increase the ability of attackers to breach your data security. Simply put, they gather and amass login data each time a user enters their information into online fields. Once in, the botnets are implanted into the compromised browser and automatically capture shared information. These methods are easily and often overlooked because a compromised  browser doesn’t know the botnet is even there.

What, If Anything Can These Infiltrations Do to You?

Even the big boys like Sony, Amazon, Ebay have been reeled in and breached by cyber criminals. They get in often by exploiting an employee’s personal communications, contacts and friends lists. This allow them to easily jump over any computer security firewall.

How Bad Could It Get?

Credential Stuffing will impact more than individuals because the individual users often gives access to hackers to other data. Joe@businessname.com, once uncovered will often open the company to numerous break-ins because if there is a Joe@, there will be a Betsy@. And  even though you may have policies in place that forbid workers from using their devices to sign up for online services, as most parents know, saying no is usually not enough. People are people, and it isn’t always in their interest to keep corporate data safe, or they may not realize that infiltration is a real problem. If they get hacked, all your company data will be at risk and that – in addition to everything else – can become a PR nightmare.

What You Can Do

These are a few quick tips that can help you increase your cyber security. These tips were shared with us by the best cyber security professionals in the world, so be sure to implement them right away.

  • Redo your passwords and make them tough. Yes, most of us are lazy and don’t want to memorize some random series of letters numbers and symbols, but that is the most important thing you can do. Make sure you never duplicate any of your passwords.
  • Enable Two-Factor Authentication – This is a quick, easy and smart move and a worthwhile second layer of security. It requires the logger to receive an additional security code sent to their device to gain access.
  • Use a Password Manager – Using a program like LastPass or PassPack allows you to create a unique and strong password for all online accounts inside a secured online password vault. This can relieve some pressure on employees who have to memorize their passwords or codes.

Last but Not Least

Find yourself a cyber-security expert to go through your platforms to uncover any compromised logins. And make your employees aware of credential stuffing and implement a plan to require employees to use unique passwords and two-factor authentication.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Is Your Company Suffering from Cyber Security Issues?

/0 Comments/in /by

Data breach.

Vulnerabilities.

IAM security.

To the average business owner these terms are pure mumbo jumbo. But if cyber security is defined as integrity, confidentiality and availability, then it is certainly something you need to understand, and if not then you need to get help to protect your computer information. It’s time you found someone who does understand the meaning of these terms and knows how to protect your business from the damaging effects of these vulnerabilities.

Known in the industry as ICA (Integrity Confidentiality and Availability), proper ICA methods allow your company to recover from and defend against network accidents, hard drive failures and server system power outages. But equally as important, proper vulnerability preparedness can defend against cyber attacks by hostile outside forces, competitors, script kiddies, hackers and fun seekers who derive pleasure simply from taking you down. To be safe and secure, your business needs to plan for business continuity and vulnerability disaster recovery in the event of a PC network security breach.

No Ifs, Ands or Buts

Security must start at the top of your organization. Protection against data breaches is something even your CEO should embrace. The information world we live is a fragile – one that can be entered and attacked – so it demands powerful and constant cyber security controls. All systems – no matter whether you use a server or keep your data in the cloud – should contain certain security standards all employees must be properly trained in and vigorously adhered to. Anything coded by one human can be decoded by another and all code has flaws and bugs that can be exploited.

Security Training Is a Must Do

The weakest link is always the human element which means that if you use developers, they need to be trained to produce secure code. Staff must be trained to take a strong security stance. End users need to understand and look out for phishing and social engineering attacks. Internal panic can be averted when you know what to look for.

It Will Happen – A Breach through a Security Vulnerability is Just a Matter of When

At some point, every company is in danger of a cyber attack even with the best cyber controls. Hackers are always going to attack the weakest point. But if your company practices basic security control many of those attacks are preventable. That operation is often referred to as “cyber hygiene.”

It’s is no different than washing your hands before you sit down to dinner. But in the world of Internet privacy it means employing strong authentication practices and never storing sensitive data where it can be accessible. This may mean finding a good Managed Security Services Provider (MSSP), using cloud security or specialized data breach systems.

The point is you need to be proactive and go well beyond the basics. Hackers today are sophisticated and shrewd. They can circumvent most defenses and their methods are growing in complexity and proficiency every day. And all of us are increasingly vulnerable.

Everything Connected Can Mean Everything Open to Attack

The electric grid, banks, even cars and power plants can now be threatened. Even the once sacred election process is now compromised by foreign sources. And as more and more organization migrate to the cloud, as more employees bring their own devices into the workplace and new challenges arise, businesses need to be prepared and bump up their data penetration testing, as well as their server hardening systems.

A strong, vigilant and constant check and defense of your systems has never been more important.

Privacy Is King

Now more than ever, privacy is king around the globe. Consumers want their information kept safe by vendors and the regulatory climate around consumer privacy is a huge issue today. The European Union’s General Data Protection Regulation (GDPR) is a strict framework for this. It demands that organizations meet the privacy and security mandates of the GDPR and other regulations.

Cyber Professionals Are in High Demand

Business of all types need to protect themselves from a compromised situation. In doing so they need to hire managed security services providers, which means cyber security is a growth industry and will continue as advances are instituted and hackers seek to undo them. Companies need to sharply access their areas of greatest vulnerability and seek out professionals that can defend them.

What Level of Cyber Security Do You Need?

Every company and system is different but there still are general rules and steps we can all use

Network security is a must. Paying attention to network security helps you guard against unauthorized intrusion. Your staff must remember that there are a number of creative hackers out there and they constantly deploy destructive viruses and malware that can compromise your information. In the end, once you implement a few cyber security best practices, you may hear some griping about double passwords or extra logins, but it is worth the effort because just one hack can ruin your day. You may have to sacrifice some productivity, but imagine the productivity loss if your systems get hacked.

Here are a few tools you may want to implement to keep hackers from achieving a data breach:

Flag Alerts – There are tools to monitor security, but they can lull you into a false sense of security because valid alerts are often missed. To avoid that, real time flags and alerts should be considered.

Store It in The Cloud – The cloud opens new opportunities and poses new challenges to cyber security. The problem is that data usernames and passwords are usually insecure.  Breaches occur now with great regularity because of poorly configured cloud instances. As such, cloud providers are rapidly creating new security tools to better secure data, but as we all know, if there are treasures to be found, the diggers will be searching.

Secure Your Applications – Application security (AppSec), begins with secure coding. That is the weak point of most applications. Few companies mitigate to all the OWASP Top Ten web vulnerabilities. Fuzzing and penetration testing remains a must. Unfortunately, DevOps was developed to prioritize business needs over security. That focus will likely change given the proliferation of threats as more and more companies migrate to the cloud.

Internet of Things (IoT) Security – The things referred to include many critical and non-critical cyber physical systems. Examples are appliances, sensors, printers –even security cameras. These devices are often in an insecure state with no security patching. This poses threats to users as well as others on the internet. Botnets are springing up in many systems posing unique security challenges for all of us.

What Cyber Threats Are Out There Looking for You?

There are five general categories of Cyber Threats:

Confidentiality: Many cyberattacks begin with a target’s personal data. Identity theft, credit card fraud, bitcoin wallets – these are all prime targets of hackers. Other nations – our adversaries or enemies – are on the lookout for confidential info for political, military, or economic leverage.

Integrity: Another name for simple sabotage. Integrity attacks attempt to corrupt, damage or destroy information or systems, as well as the people who need them. They can be subtle or overtly seeking to do real damage. Everyone from script kiddies to nation-state attackers can and do employ this tactic.

Availability: The number one method attackers use to breach almost any business system is through the use of ransomware. Ransomware encrypts a target’s data then demands you meet their demands before they will decrypt it. Ransomware and denial-of-service attacks can be lethal and flood a network resource with requests, often crashing it and making it unavailable. This type of breach is usually handled through social engineering. In this method, attackers trick you into running a Trojan Horse program, usually from a website the user trusts and visits. Phishing is another method used. This works for hackers because it tricks you into revealing your password. Even well-trained users can be roped in. The best defense for this is the two-factor authentication method where a secondary password is sent to the user’s device.

Unpatched software: Really, this is the worst type of hacking for businesses because it is caused by cyber security oversight. It is a failure of due diligence. It happens simply because your team does not make the necessary updates on time. If you know about it and don’t fix it, the burden is on you.

Social media threats: These happen all the time and can get in as easily as attaching a phishing or malware program to your LinkedIn or FaceBook account. This is one that you need to expect to happen and be prepared for it when it does.

Advanced Threats May Already Be There

Don’t be surprised if multiple breach hackers are already messing around in your corporate network. If you’re working on something other competitors might like to get their hands on, they will find a way to take it from you unless you are prepared to stop them. This is especially true with intellectual property.

Bottom Line

These are only a few ways in which your system can be and will be breached someday. This article is not meant to scare you, but to help you realize that cyber security breaches are not a joke and happen to businesses of every size. This is why it is important to take necessary data breach security measures and protect your data.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Keeping Your Healthcare Security Safe from the Top Cyber Threats

/0 Comments/in /by

Cry.

It is what we should all be doing when we consider all of these cyber attacks.

In fact, a recent cyber attack, called Wannacry has made the healthcare industry want to do just that. Cry. So far, this cyber breach rained havoc down on 16 healthcare industry businesses, affecting different medical practices to differing degrees.

The cost incurred by cyber crimes is rising quickly as more and more hackers focus on the cyber world – a place where so many healthcare providers store information.

A joint study made by Ponemon and IBM demonstrates that businesses in the healthcare industry are still being affected by cybercriminals, and the number of breaches is on the rise. In fact, the study called “Data Breach Report,” indicates that there is a per-capita cost of about $380 for each file breach. So, if you’re in the healthcare industry, beware, take a deep breath, steady your nerves and read on.

Ransomware and other Malware

Malware is a new, raging and serious threat to all industries, but perhaps it creates the most damage in the healthcare industry. It is especially concerning because issues of life and death may be involved. Healthcare depends on an intricate set of reporting and services that are interlocking and which communicate critical information to the healthcare providers. That makes the data vulnerable to ransomware and other malware attacks.

After the WannaCry attack, hospitals were forced to deny admission of new patients and had treatment of existing patients interrupted because their records could not be accessed. Due to the increasing level of attacks a ‘Wall of Shame’, listing healthcare data breaches in the U.S., shows 288 data breaches affected nearly 4.7 million individuals – four times as many as in the previous year.

Phishing

Phishing usually begins as an email assault on a specific website, causing unusual spikes in traffic which can cause the site to crash.  Verizon reported that 66% of malware is initiated as an email attachment.  Shockingly, a whopping 98% of the healthcare industry providers are not taking steps to prevent this from happening by activating the Domain-based Message Authentication, Reporting & Conformance (DMARC).

Insider Threats

Threats from the inside, by patients and or staff is also of serious a concern, whether accidental or intended.  75% of respondents in the 2017 HIMSS Cybersecurity Survey reported that Insider threats seemed troubling enough and has caused some providers to improve their cybersecurity processes and set up protection programs.

Cloud Computing and Online Security

As more and more organizations migrate to the cloud, security threats will migrate with them. Healthcare’s use of cloud computing is projected to rise to 20.5% by 2020. Protecting data at rest and in transit requires robust encryption as well as other measures like second-factor authentication and complex passwords.

Attacks from The Internet

Internet-connect devices are growing in popularity, and usage in the healthcare industry is important and shown to improve patient outcomes. A recent App called OpenAPS has optimized a data-driven insulin delivery system and other Internet-enabled activity trackers are now improving cancer treatment, but they come with risks such as DDoS attacks that could disrupt treatment. Redundancy issues and protection of personal data are also vulnerable as more hospitals become dependent on Internet systems.

The Healthcare Supply Chain, The Easiest Way In

A negligent supplier can let cybercriminals in the front door. The TRICARE breach, that exposed 4.6 million military patient records happened that way.  Regulatory frameworks such as the HIPAA Omnibus Rule in the U.S., are being enacted to strengthen protections.

Authentication Issues

Secure authentication is the name of the game to minimize the problems of human-computer interaction. Passwords must be strengthened, changed often and require a two-stage process.

Legacy apps holding you back

90% of hospitals run legacy applications to preserve patient data. This can open the door to the cybercriminal. The WannaCry attack infected machines that were running unpatched older versions of Windows such as XP and 7 by exploiting a vulnerability in the operating system. Penetration testing should be a first step to finding your vulnerabilities.

Security is everyone’s problem

In healthcare security, issues extend to all disciplines, suppliers, and even patients. The increased use of IoT devices make this a cause for concern everywhere. A recent paper, for the National Data Guardian, “Your Data: Better Security, Better Choice, Better Care,” recommends improving security across healthcare organizations. Citing the issue of “people and processes” as much of a problem as technology.

Security is an is an issue of poor healthcare funding

Poor funding is a massive threat to security. Security and improvements in technology cost money for training and implementation, but they are as vital to everyone’s health as treatment is. If allowed cybercriminals will disrupt services to everyone within a society.

Bottom Line

Understandably, budgeting is an issue in the healthcare industry. However, cutting out or reducing expenses in cyber security is not the best answer. A cyber security attack is not a matter of “IF” but instead of “WHEN”. And if the organization is not prepared with a cyber secure environment the costs will be enormous. In this respect cyber security is much like insurance, something that you must have.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.