October 31, 2016 | Leave a Comment
By Ryan Mackie, Principal and ISO Certification Services Practice Director, Schellman
ISO 27001 North American GrowthISO/IEC 27001:2015 (ISO 27001) certification is becoming more of a conversation in most major businesses in the United States. To provide some depth, there was a 20% increase in ISO 27001 certificates maintained globally (comparing the numbers from 2014 to 2015 as noted in the recent ISO survey).
As for North America, there was a 78% growth rate in ISO 27001 certificates maintained, compared to those in North America in 2014. So it is clear evidence that the compliance effort known as ISO 27001 is making its imprint on organizations in the United States. However, it’s just the beginning. Globally, there are 27,563 ISO 27001 certificates maintained, of which only 1,247 are maintained in the United States; that is 4.5% of all ISO 27001 certificates.
As the standard makes its way into board room and compliance department discussions, one of the first questions is understanding the scope of the effort. What will be discussed in this short narrative is something that we, as an ANAB and UKAS accredited ISO 27001 certification body, deal with often when current clients or prospects ask about scoping their ISO 27001 information security management system (ISMS), and specifically related to how to handle third party data centers or colocation service providers.
Consider an organization is a software as a services (SaaS) provider with customers throughout the world. All operations are centrally managed out of one location in the United States but to meet the needs of global customers, the organization has placed their infrastructure at colocation facilities located in India, Ireland, and Germany. They have a contractual requirement to obtain ISO 27001 certification for their SaaS services and are now starting from the ground up. First things first, they need to determine what their scope should be.
It is quite clear that given the scenario above, the scope will include their SaaS offering. As with ISO 27001, the ISMS will encompass the full SaaS offering (to ensure that the right people, processes, procedures, policies, and controls are in place to meet their confidentiality, integrity, and availability requirements as well as their regulatory and contractual requirements). When determining the reach of the control set, organizations typically consider those that are straight forward: the technology stack, the operations and people supporting it, its availability and integrity, as well as the supply chain fostering it. This example organization is no different but struggles with how it should handle its colocation service providers. Ultimately, there are two options – Inclusion and Carve-out.
The organization can include the sites in scope of its ISMS. The key benefit is that the locations themselves would be included on the final certificate. But, with an ISMS, an organization cannot include the controls of another organization within its scope as there is no responsibility for the design, maintenance, and improvement of those controls in relation to the risk associated with the services provided.
So, to include a colocation service provider, it would be no different than including an office space that is rented in a multi-tenant building. The organization is responsible for and maintains the controls once the individual enters its boundaries but all other controls would be the responsibility of the landlord. The controls within the rented space of the colocation service provider would be considered relevant to the scope of the ISMS. These controls would be limited, which is understandable given their already very low risk; however, they would still require to be assessed. That would mean that an onsite audit would be required to be performed to ensure that the location, should it be included within the scope and ultimately on the final certificate, has the proper controls in place and has been physically validated by the certification body.
As a result, the inclusion of these locations would allow for them to be on the certificate but would require the time and cost necessary to audit them (albeit the assessment would be limited and focused only on those controls the organization is responsible for within the rented space of the colocation service provider).
The organization can choose to carve out the colocation service provider locations. As compared to the inclusion method, this is by far cheaper in that onsite assessments are not required. More reliance would be applied to the controls supporting the Supplier Relations control domain in Annex A of ISO 27001; however, these controls would be critical for both the inclusive and carve-out method. The downside of this option – the locations could not be included on the final ISO 27001 certificate (as they were not included within the scope of the ISMS), and it may require additional conversations with customers highlighting that though those locations were not physically assessed as part of the audit, the logical controls of the infrastructure sited within those locations were within the scope of the assessment and were tested.
Ultimately, it is a clear business decision. Nothing in the ISO 27001 standard requires certain locations to be included within the scope of the ISMS, and the organization is free to scope their ISMS as it suits. Additionally, unlike other compliance efforts (such as AICPA SOC examinations), there is not a required assertion from the third party regarding their controls, as the ISMS, by design, does not include any controls outside of the responsibility of the organization being assessed. However, the organization should keep in mind the final certificate and if it will be fully accepted by the audience that is receiving it. Does the cost of requiring the onsite audit warrant these locations to be included or is the justification just not there.
If this scenario is applicable to your situation or scoping, Schellman can have further discussions to talk through the benefits and drawbacks of each option so that there is scoping confidence heading into the certification audit.
October 27, 2016 | Leave a Comment
By Evelyn de Souza, Data Privacy and Security Leader, Cisco Systems and Strategy Advisor, Cloud Security Alliance
Everything we know about defeating the insider threat seems to not be solving the problem. In fact, evidence from the Deep, Dark and Open Web points to a greatly worsening problem. Today’s employees work with a number of applications and with a series of clicks information can be both maliciously and accidentally leaked.
The Cloud Security Alliance has been keen to uncover the extent of the insider threat problem with its overall mission of providing security assurance within Cloud Computing, and providing education to help secure cloud computing.
As a follow up to the Top Threats in Cloud Computing and over recent months we surveyed close to 100 professionals on the extent of the following:
- Employees leaking critical information and tradecraft on illicit sites
- Data types and formats being exfiltrated along with exfiltration mechanisms
- Why so many data threats go undetected
- What happens to the data after it has been exfiltrated
- Tools to disrupt and prevent the data exfiltration cycle
- Possibilities to expunge traces of data once exfiltrated
We asked some difficult questions that have surprised our audience and that many were hard pressed to answer. We wanted to get a clear picture of the extent of knowledge and where the gaps lay. We hear lots of talk about the threats to the cloud and challenges that organizations facing it take. And, in the wake of emerging data privacy regulation, we see much discussion about ensuring levels of compliance. However, the results of this survey show there is a gap with dealing with both present and future requirements for data erasure in the cloud. And, that despite the fact that accidental insider threats or misuse of data is a common phenomenon, there is a distinct lack of procedure for dealing with instances across cloud computing.
October 26, 2016 | Leave a Comment
By Avani Desai, Executive Vice President, Schellman & Co.
October 25, 2016 | Leave a Comment
By Susan Richardson, Manager/Content Strategy, Code42
During National Cyber Security Awareness Month, understanding the ins and outs of ransomware seems particularly important—given the scandalous growth of this malware. In this webinar on ransomware hosted by SC Magazine, guest speaker John Kindervag, vice president and principal analyst at Forrester, talks about what ransomers are good at—and offers best practices for hardening defenses. Code42 System Engineer Arek Sokol is also featured as a guest speaker, defining continuous data protection as a no-fail solution that assures recovery without paying the ransom.
The art of extortion
Kindervag says ransomers are good at leveraging known vulnerabilities when organizations are slow to patch. They are also excellent phishermen, posing skillfully as trusted brands to lure their prey; collaborative entrepreneurs who learn and share information; and enthusiastic teachers, eager to impart how to pay in bitcoin for the unschooled.
Like Pearl Harbor, Kindervag says, the day the enterprise gets hit with across-the-board ransomware will live in infamy—unless the organization has planned for the event with effective backup.
Kindervag advises the following to prevent the delivery of ransomware:
- Prioritized patch management to avoid poor security hygiene that puts computer systems at risk.
- Email and web content security that includes effective anti-spam, gray mail categorization, and protection for employees against poisoned attachments.
- Improved endpoint protection with key capabilities that include prevention, detection and remediation, USB device control to reduce the ransomware infection vector, and isolation of vulnerable software through app sandboxing and network segmentation.
- Hardening network security with a zero trust architecture in which any entity (users, devices, applications, packets, etc.) requires verification regardless of its location on or with respect to the corporate network to prevent the lateral movement of malware.
- A focus on clean, effective backups.
The ransomware antidote
Following Kindervag’s “hardening defenses” presentation, Sokol reports on the number of businesses hit by ransomware in 2015 (47 percent) and how many incidents come through the endpoint (78 percent). He also dispels the rumor that file sync and share are synonymous with rather than antithetical to endpoint backup.
During the webinar, Sokol demonstrates the extensibility of modern, continuous, cross-platform endpoint backup. He describes the efficacy of endpoint backup in recovering data following ransomware or a breach, its utility in speeding and simplifying data migration and its ability to visualize data movement—thereby identifying insider threats when employees leak or take confidential data. Don’t miss it.
October 11, 2016 | Leave a Comment
By Jacob Ansari, Manager, Schellman
How many arbitrary people do you have to get into a room before two of them share the same birthday? Probability theory has considered this problem for so long that no one is quite certain who first posed the so-called “birthday problem” or “birthday paradox.” What we do know is that this occurs with many fewer people than we might have guessed. In fact, there’s a 50% chance that two people will share a birthday (month and date) with only 23 people. That confidence goes up to 99% with 75 people.
Beyond just awkward situations about who gets the first slice of cake, this idea has applications in cryptography and security situations. The short of the idea is that things that seem unpredictable or unlikely are often much more likely than we would think. For a security system based on random numbers and unpredictability, this can pose a few dangerous security problems. Some researchers from the French Institute for Research in Computer Science and Automation (INRIA) recently published some work that shows significant weaknesses with practical exploits in 64-bit block ciphers, particularly 3DES and Blowfish, and in their most common uses in HTTPS and VPN connections.
Most modern ciphers that use a symmetric key, that is a key that both parties need to have to encrypt and decrypt messages, are what cryptographers call “block ciphers.” They encrypt blocks of data, rather than bit by bit. Often, the block length is the size of the key, but in some cases it isn’t. So a 3DES cipher, which performs three cryptographic operations using 64-bit blocks and 64-bit keys (technically 56-bit keys with eight bits used for error checking) divides up its message into 64-bit segments and encrypts each one. The problem related to the birthday paradox is this: when you have a 64-bit key, an exhaustive attack would potentially need to try 264 guesses at the key value to see if it could decrypt the encrypted message (this is what we call a brute-force attack).
In practice, however, block ciphers use what are called modes of operation, which link blocks of messages together. In these situations, with a 64-bit block length, encrypting more than 2 (block length/2) or 232 bits of data presents a well-known cryptographic danger. The operation will inevitably repeat enough data for patterns to emerge and for an attack to determine the key from these patterns. Thus, good design prevents more than 232 bits of data encrypted by the same key, and cryptographers refer to this as the birthday bound.
This attack goes from theoretical to practical in two significant applications: HTTPS using 3DES (typically with TLS 1.0 or earlier), and OpenVPN, which uses Blowfish (which has 64-bit blocks) as its default cipher. With 64-bit blocks, the birthday bound is approximately 32GB of data transfer, which is something a reasonably fast connection can handle in about an hour. Thus, the practicality of collecting these data and attacking the key is an entirely reasonable prospect. Further, modern uses of HTTPS and VPN connections often find cases where the session lasts for long periods of time, and thus continues to use the same key for those long periods, making both the recovery of the key and its use in an attack practical and effective.
Ultimately, the solution for this kind of attack is to replace the use of 64-bit block ciphers with 128-bit block ciphers like AES. In many cases, the capability to do this already exists and organizations facing this threat can do so with reasonable expedience. In some cases, particularly when supporting legacy connections such as TLS 1.0 and the corresponding support for 3DES ciphers, this becomes more complicated. While many organizations have made advances in moving to more secure block ciphers, others have compatibility and legacy support issues. These kinds of advances in attacks make those transitions all the more urgent.
Organizations currently in transition should strongly consider accelerating those efforts and eliminating the use of ciphers like 3DES and Blowfish entirely.
October 11, 2016 | Leave a Comment
Denis Naughten will address (ISC)2 Security Congress EMEA delegates on the latest developments in Ireland’s National Cyber Security Strategy since its launch in 2015, including the requirement to transpose the European Union Security of Network and Information Systems Directive (2016/1148) into national law by May 2018. The digital economy is growing at 20 percent per year, and securing this sector is vital for the country’s long-term growth and nurturing its cloud computing and big data industries.
The full agenda can be found here.
Organized in partnership with MIS Training Institute, the Congress will feature three intensive days of deep-dive workshops, interactive think-tanks, panel debates and over 40 speakers discussing current events from the use of robots in security to the need for a new ‘creative commons for privacy’.
Denis Naughten T.D., Minister for Communications, Climate Action and Environment said: “At a time when we are building capacity on cyber security to help industries bolster their cyber defences, I am pleased to support the (ISC)2 community in bringing together professionals across every tier of industry, here and across EMEA, to align international efforts against the cyber threats we face. Online threats are not confined to one industry or country, so we can no longer work in isolation but must share knowledge and expertise across sectors.”
Other confirmed keynotes speakers include:
- Ade McCormack, Digital Strategist, and Financial Times columnist
- Barrie Millet, Head of HSSE & Resilience, E.ON U.K.
- Eoin O’Dell, Associate Professor, School of Law, Trinity College Dublin
- Nick Hawes, Reader in Autonomous Intelligent Robotics, School of Computer Science, University of Birmingham (U.K.)
- Mark Carolan, Head of Research and Development, Espion
Adrian Davis, Managing Director EMEA, (ISC)2, said: “Bringing together the largest network of working professionals in EMEA, this Security Congress will enable attendees to draw on a pool of front-line experiences and cybersecurity best practice from every sphere of society. It is also a great opportunity for professional development, with a range of speakers who are leaders in their fields sharing some of their world-leading expertise with the audience. Our vision is to create a safe and secure society and that can only be achieved by professionals from every walk of life, working together.”
The Cloud Security Alliance will be exhibiting at this year’s congress, and you can join us by booking here and quoting CSA2016.
October 6, 2016 | Leave a Comment
By Ajmal Kohgadai, Product Marketing Manager, Skyhigh Networks
The Health Insurance Portability and Accountability Act (HIPAA) helps protect patient privacy by requiring healthcare organizations and their business associates to protect sensitive data — including how the data is used and disclosed. As the healthcare industry is increasingly being targeted by cyber attackers, HIPAA gives healthcare organizations minimum benchmarks for assessing and implementing their cyber defenses.
Patient health data is highly sought after by cyber criminals because they can exploit it in many different ways and for much longer periods of time as compared to information such as credit card numbers. On black market marketplaces on the Darkweb, stolen medical data can sell for 10 to 20 times more than credit card data. One report found that stolen Medicare numbers sold for nearly $500 each.
Because medical records are rich with information, they can be used for committing identity theft, medical identity theft, and tax fraud; obtaining loans or credit cards, sending fake bills to insurance companies; obtaining and then reselling expensive medical equipment — and the list goes on. And unlike a credit card number, that can easily be cancelled if it has been compromised, medical health records can’t be altered and tend to last a lot longer. Stolen medical records of terminally ill patients are especially valuable because that information can be used to receive other services on behalf of the patient long after the patient has passed away.
HIPAA requires that healthcare organizations report any data breaches involving more than 500 patient records. According to the HHS web portal, there have been 205 such breaches so far this year. Many data breaches of electronic protected health information (ePHI) that have resulted in HIPAA fines were the result of carelessness or lack of data protection and could have been avoided.
Numerous HIPAA fines have stemmed from the lack of risk assessments or properly implemented risk management plans. A risk assessment is a foundational step that healthcare organizations must take in order to evaluate all the vulnerabilities, threats, and gaps in defenses in order to mitigate security risks.
The Worst HIPAA Violations — and What You Can Learn from Them
Advocate Health Care Network, $5.5 million
This is the largest HIPAA settlement as of September 2016 and was the result of three separate data breaches that affected a total of 4 million individuals. One of the incidents involved an unencrypted laptop that was stolen from an employee vehicle and another incident involved the theft of four computers.
The Department of Human and Health Services Office of Civil Rights (OCR), which enforces HIPAA, noted that Advocate Health Care failed to conduct an accurate and thorough risk analysis of all of its facilities, information systems, applications, and equipment that handle ePHI. This risk management plan needs to include not only technical but also physical and administrative measures.
New York and Presbyterian Hospital (NYP) and Columbia University, $4.8 million
In a joint case, the two organizations were fined after 6,800 patient records were accidently exposed publicly to search engines. The breach was caused by an improperly configured computer server that was personally owned by a physician. The server was connected to the network that contained ePHI.
NYP lacked processes for assessing and monitoring all its systems, equipment, and applications connected with patient data. It also didn’t have appropriate policies and procedures for authorizing access to patient databases. Both of these violations would have been easy to prevent through administrative processes.
WellPoint, Inc., $1.7 million
The managed care company exposed the records of more than 600,000 individuals over the internet after upgrading an internet-based database containing ePHI. WellPoint didn’t know about the breach until a lawsuit notified the company that the data was available through a web portal.
This kind of incident could be avoided by:
- Performing a technical evaluation of changes resulting from software upgrades ahead of deployment
- Implementing technology, policies, and procedures for authenticating users that are accessing ePHI as well as limiting the categories of users who can access the data.
Anchorage Community Mental Health Services (ACMHS), $150,000
A malware infection compromised the records of more than 2,700 individuals. ASMHS did not review its systems for unpatched and unsupported software and did not regularly update its IT resources.
This case underscores the importance of having policies and procedures in place for running regular updates and patches. It’s a simple yet often ignored practice that could have major implications.
St. Elizabeth’s Medical Center, $218,400
This settlement stemmed from two incidents, one of which was in connection with staff use of a cloud-based file-sharing application. Specifically, the medical center did not evaluate the risks of using this cloud service, putting ePHI of nearly 500 people at risk.
As more healthcare organizations are embracing the cloud as a scalable, cost-effective and flexible solution for storing and sharing patient data, it’s critical to conduct a risk assessment prior to migrating to a cloud environment. This evaluation should also include a comprehensive analysis of the security capabilities of prospective vendors.
University of Mississippi Medical Center (UMMC), $2.75 million
UMMC reported a breach after a password-protected laptop loaned to a visitor went missing. Subsequently, OCR’s investigation found that users could access a network drive containing ePHI via a wireless network with a generic user name and password. The accessible network drive contained ePHI of 10,000 patients dating as far back as five years.
According to Verizon’s 2016 Data Breach Investigations Report, more than 60 percent of data breaches in 2015 involved weak, stolen, or default passwords. Passwords are a major problem that can have serious consequences for organizations, yet it’s a problem that’s easy to mitigate by implementing strong password-management policies as well as techniques like multi-factor authentication.
Triple-S Management Corp., $3.5 million
This case was the result of multiple, extensive violations involving several subsidiaries. One notable violation related to two former employees whose access rights to a restricted database were not terminated when they left the company. The two then accessed the internet Independent Practice Association (IPA) database, which contained members’ diagnostic and treatment codes, while being employed by a competitor.
Just like poor password-management policies, user-privilege policies are a major problem for organizations. Too often, user access is not terminated when employees leave the company or move to another position within same company that changes their status. Many unauthorized access incidents can be avoided with tools and procedures that manage user access.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI), $1.5 million
OCR found multiple violations after investigating the theft of a personal unencrypted laptop containing patients’ prescriptions and clinical data. The violations included longtime failures to conduct a risk analysis and implement security measures for portable devices.
“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” OCR Director Leon Rodriguez said in the announcement.
Many of the HIPAA settlements to data have involved stolen or lost devices such as laptops as well as removable media like USB drives. What makes this case stand out from many others involving stolen or lost laptops is the fact that this was a personal device.
As healthcare organizations become more open to the bring your own device (BYOD) policies, it’s important to have practices and procedures in place for devices that are not managed by the IT department. Best practices could include credentialing or “registration” of personal devices and controls for giving IT staff advance permission to remotely wipe or lock a stolen device.
October 4, 2016 | Leave a Comment
By Susan Richardson, Manager/Content Strategy, Code42
Ah, those ingenious cyber criminals. They keep coming up with ever more frightening ransomware threats. JIGSAW warns victims it will delete files every hour until they pay $150 USD in bitcoins. Chimera threatens to publish the victim’s files online for all to see. Cerber ups the ante by enlisting a creepy robotic voice to tell victims their files have been encrypted. And now the latest ransomware hopes to intimidate victims by showing their location on Google Maps. In other words, “We know where you are.”
But wait, there’s more
Dubbed CryLocker, the new ransomware is getting publicity for another unusual trait, as well. Instead of sending affected files to remote command and control (C&C) servers for the attackers to access, it encodes the victim’s files into a bogus PNG image file and uploads it to a free online image hosting site, either Imgur or Pastee. Security researcher MalwareHunterTeam, which detected the new strain in August, said it found PNG images for more than 10,000 victims inside CryLocker’s Imgur album.
Although the official name of the ransomware is CryLocker, it’s also referred to as the Central Security Treatment Organization ransomware based on the bogus organization name displayed on its payment site—or Cry ransomware because it appends the .cry extension to encrypted files.
Never pay the ransom
The good news is that if CryLocker victims have modern endpoint data protection, ransomware recovery is no big deal. Because endpoint security solutions such as Code42 CrashPlan can restore files from a backup time just before the attack, users never have to pay up—no matter how creative or intimidating ransomware threats get.