Category Archives: Computer Security

Neutrality Matters

Standard
Net Neutrality CNN dot com

Image:  CNN.com

“WIRED”

“In a time when there are too few companies with too much power – we need net neutrality now more than ever.

Getting rid of Title II would lead to even more centralization, handing more power to the largest Internet companies while stifling competition and innovation.

Next month, Amazon, Netflix, and dozens of other companies and organizations will host a “day of action” aimed at saving net neutrality as we know it. The Federal Communications Commission, meanwhile, is on the verge of revoking its own authority to enforce net neutrality rules, and the country’s biggest telecommunications companies are cheering along. The future of the internet is on the line here, but it’s easy to be cynical about the conflict: What does it matter which set of giant corporations controls the internet?

Under the current net neutrality rules, broadband providers like Comcast and Charter, and wireless providers like AT&T and Verizon, can’t block or slow down your access to lawful content, nor can they create so-called “fast lanes” for content providers who are willing to pay extra. In other words, your internet provider can’t slow your Amazon Prime Video stream to a crawl so you’ll keep your Comcast cable plan, and your mobile carrier can’t stop you from using Microsoft’s Skype instead of your own Verizon cell phone minutes.

If the Trump administration gets its way and abolishes net neutrality, those broadband providers could privilege some content providers over others (for a price, of course). The broadband industry says it supports net neutrality in theory but opposes the FCC’s reclassification of internet providers as utility-like “Title II” providers, and that consumers have nothing to worry about. But it’s hard not to worry given that without Title II classification, the FCC wouldn’t actually be able to enforce its net neutrality rules. It might be less alarming if the internet were a level playing field with free and fair competition. But it’s not. At all.

If you want to search for anything online, you’ve got to go through Google or maybe Microsoft’s Bing. The updates your Facebook friends share are filtered through the company’s algorithms. The mobile apps you can find in your phone’s app store are selected by either Apple or Google. If you’re like most online shoppers, you’re mostly buying products sold by Amazon and its partners. Even with the current net neutrality laws there’s not enough competition—without them, there will be even less, which could stifle the growth and innovation that fuels the digital economy.

Fast lanes or other types of network discrimination could have a big impact on the countless independent websites and apps that already exist, many of which would have to cough up extra money to compete with the bigger competitors to reach audiences. Consider the examples of Netflix, Skype, and YouTube, all of which came of age during the mid-2000s when the FCC’s first net neutrality rules were in place. Had broadband providers been able to block videos streaming and internet-based phone calls in the early days, these companies may have seen their growth blocked by larger companies with deeper pockets. Instead, net neutrality rules allowed them to find their audiences and become the giants they are today, and without net neutrality, they could even potentially become the very start-up-killers that would’ve slowed or stopped their own earlier growth. Getting rid of net neutrality all but ensures that the next generation of internet companies won’t be able to compete with the internet giants.

The end of net neutrality could also have ranging implications for consumers. Amazon, Netflix, YouTube, and a handful of other services may dominate the online video market, but without net neutrality, broadband providers might try to make it more expensive to access popular streaming sites in an attempt to keep customers paying for expensive television packages. “[Net neutrality] protects consumers from having the cost of internet go up because they have to pay for fast lane tolls,” says Chris Lewis, vice president of the advocacy group Public Knowledge.

Lewis also points out that there are a few other consumer friendly protections in the FCC’s net neutrality rules. For example, the FCC rules require internet service providers to disclose information about the speed of their services, helping you find out whether you’re getting your money’s worth. They also force broadband providers to allow you to connect any device you like to your internet connection, so that your provider can’t force you to use a specific type of WiFi router, or tell you which Internet of Things gadgets you can or can’t use.

“The Internet is as awesome and diverse as it is thanks to the basic guiding principle of net neutrality,” says Evan Greer, campaign director for Fight for the Future, one of the main organizers of the net neutrality day of action, which will take place on July 12 and try to raise awareness about net neutrality across the web.”

https://www.wired.com/story/why-net-neutrality-matters-even-in-the-age-of-oligopoly/

WannaCry: Top 5 lessons learned

Standard

 

Young Asian male confused and headache by WannaCry ransomware attack

Image:  “Fifth Damain Cyber”

“FIFTH DOMAIN CYBER”

“Ransomware infections are growing. There is an estimated 36 percent increase in ransomware strains per year.

Perhaps the lesson we should all learn is that global collaboration, communication and coordination is necessary to get ahead of malware infestations.

The WannaCry ransomware brought with it some unexpected consequences. It spread to an estimated 150-plus countries and impacted more than 300,000 computers. It had a substantial impact.

Recent estimates place the overall range of financial implications from $4 billion to $8 billion. Most of the impact is due to loss of productivity as well as costs associated with recovery, malware removal and re-imaging hard drives.

There were a number of lessons learned from this particular ransomware event. Here are the top five:

1. This event has many national cyber defense leaders calling for closer collaboration among countries.

2.
Rogue nation-states may resort to malware attacks to create disruption of computing capabilities that is nothing more than an annoyance.

3. 
Reuse of previously used malicious code is common, and that alone does not provide insight into who is behind the attack.

4. 
The continued use of unsupported software poses substantial risks and must be addressed in all essential/critical systems.

5. The Un factor (unknown devices and unknown patches) are sitting there waiting to be compromised and used by attackers.

Some might say we learned that paying ransom demands does not mean a system will get unlocked. That is certainly true, but has been known for several years. Maintaining an accurate technology/devices/computer asset inventory is essential to maintaining timely backups and systems’ security.

In looking at all of this, one must realize that we have known all of this for years and yet we still suffer from these attacks! One has to wonder what it will take to correct these well-known shortcomings!”

http://fifthdomain.com/2017/06/06/wannacry-top-5-lessons-learned-commentary/

VA Will Shift Medical Records To DOD’s “In-Process” Electronic Medical Records System

Standard

 

Veterans Gaming the System

Image:  Military Times

Total Investment To Date Now Projected at Nearly $10 Billion

“MILITARY TIMES”

VA has already spent more than $1 billion in recent years in attempts to make its legacy health record systems work better with military systems.

The military’s health record system is still being put in place across that department, more than three years after the acquisition process began. The initial contract topped $4.6 billion, but has risen in cost in recent years.

Shulkin did not announce a potential price tag for the move to a commercial electronic health records system, but said that a price tag of less than $4 billion would likely be “unrealistic.”


“Veterans Affairs administrators on Monday announced plans to shift veterans’ electronic medical records to the same system used by the Defense Department, potentially ending a decades-old problematic rift in sharing information between the two bureaucracies.

VA Secretary David Shulkin announced the decision Monday as a game-changing move, one that will pull his department into the commercial medical record sector and — he hopes — create an easier to navigate system for troops leaving the ranks.

“VA and DoD have worked together for many years to advance (electronic health records) interoperability between their many separate applications, at the cost of several hundred millions of dollars, in an attempt to create a consistent and accurate view of individual medical record information,” Shulkin said.

“While we have established interoperability between VA and DOD for key aspects of the health record … the bottom line is we still don’t have the ability to trade information seamlessly for our veteran patients. Without (improvements), VA and DoD will continue to face significant challenges if the departments remain on two different systems.”

White House officials — including President Donald Trump himself — hailed the announcement as a major step forward in making government services easier for troops and veterans.
Developing implementation plans and potential costs is expected to take three to six months.

But he did say VA leaders will skip standard contract competition processes to more quickly move ahead with Millennium software owned by Missouri-based Cerner Corp., the basis of the Pentagon’s MHS GENESIS records system.

“For the reasons of the health and protection of our veterans, I have decided that we can’t wait years, as DOD did in its EHR acquisition process, to get our next generation EHR in place,” Shulkin said.

Shulkin for months has promised to “get VA out of the software business,” indicating that the department would shift to a customized commercial-sector option for updating the health records.

The VA announcement came within minutes of Trump’s controversial proposal to privatize the nation’s air traffic control system. The president has repeatedly pledged to make government systems work more like a business, and in some cases hand over public responsibilities to the private sector.

Shulkin has worked to assure veterans groups that his efforts to rely on the private sector for expertise and some services will not mean a broader dismantling of VA, but instead will produce a more efficient and responsive agency.

He promised a system that will not only be interoperable with DOD records but also easily transferable to private-sector hospitals and physicians, as VA officials work to expand outside partnerships.

Shulkin is expected to testify before Congress on the fiscal 2018 budget request in coming weeks. As they have in past hearings, lawmakers are expected to request more information on the EHR changes then. ”

http://www.militarytimes.com/articles/va-share-dod-electronic-medical-records-decision

 

 

WannaCry Worm Highlights Federal & Industry Failures

Standard
uscybercom - Department of Defense

Image:  Department of Defense

“BREAKING DEFENSE”

” The WannaCry worm proves that our collective response to cyber threat continues to churn ineffectively in the same futile rut while threats multiply and grow increasingly serious by the day.

A new approach is needed to enable innovation in the way security is encouraged and delivered with both carrot and stick.

The worm’s success is yet another clear signal that today’s security model isn’t working. Institutional failure to address security risks have/will continue to have the same pervasive impacts in government, industry, and at home with no respite in sight, no one in charge, and no one accountable for fixing the mess.

The ubiquity of such attacks challenges our internal/international legal framework. (The military and Intelligence Community should not be operating within the United States.) And it crosses our traditional fault lines (ensconced in US law) between corporate, military, legal, and law enforcement organizations. Senior leaders in each of these government fiefdoms tell me that the pan-government table top exercises held to understand and clear the fog around the “who’s in charge” questions assume away all the relevant risk. This is done in order to arrive at prearranged conclusions that won’t rock the boat between all the various stakeholders. The cyber problem is so much greater than a traditional geographical battlespace because it requires a complete strategic rethink of warfare as these kinetic, civil, intelligence, and international equities collide.

Microsoft has declared WannaCry “is a wakeup call.” Add the concomitant coverage in the press, and people being put at risk in hospitals and it makes you think that this incident marks a new chapter in cyber risk. Add in the second Wikileaks dump of the Vault 7 attack files and we have a perfect media storm of NSA toolkits, CIA attack techniques, likely North Korean mischief, chronic government underspending here and abroad, and the resulting health care service outages and outrage to feed the news cycle. The political, fiscal, and productivity impacts of the WannaCry worm highlight that the cyber risks currently accepted by corporate and government risk officials are not tenable.

This malware is particularly lively in large organizations whose legacy systems and limited security budgets provide clear skies for exploit and it could have been worse if not for an enterprising 22 year-old who helped save the world by finding and sharing its Kill Switch. Unfortunately, nastier and more effective worms and viruses and other tools are likely on their way and will wreak greater havoc. So let’s step back and ask what makes this crisis different?

The answer, sadly, is — NOTHING.

A quick review:

  • Ransomware (whereby software encrypts your computer and demands you pay a ransom for a decryption key) has been on the rise for several years. Everyone from Grandma to your insurance company has been hit and they have often (quietly) paid up to get back the family album or their health records.
  • Sure, WannaCry is linked to the purloined NSA toolkit. It is a variant of the WeCry exploit from February of this year and a patch has been available from Microsoft since mid-March.
  • Organizations with older equipment or legacy software often have a, “don’t fix what ain’t broke” culture of accepting risk because implementing a patch can be expensive and disruptive (trying to figure out why your 15 year-old patient scheduling system stopped working, for instance) and the potential real world impact outweighs the perceived risk.
  • The (allegedly) North Korea-linked team (the people behind the Sony hack, South Korean Banking attack, etc…) seeks to foment misery again,
  • The cure of installing up-to-date systems is perceived to be more expensive than compliance until the bill comes due — just ask the UK government as it reels under the revelations that the government funded NHS deemed that using post end-of-life (and hence unfixable) Windows XP machines.

The next question is: what are we doing about it? The answer for most large organizations is largely tactical – patch, update, scan, repeat. The strategic gaps induced by relying on individual organizations providing security for key services cannot be addressed by existing methods.

The institutional security risks highlighted again by WannaCry were mirrored in previous “wake up calls” such as the OPM hacks, Wikileaks — heck, just take your pick of Anthem/Blue Cross, the French election, etc… And these risks will only increase as vulnerable infrastructure increasingly underpins our daily lives. Our military is racing to understand and dominate the military aspects of the cyberspace domain. However, the seemingly endless policy churn around Cyber Command, Strategic Command, NSA, DHS etc. means that lines of authority, funding and staffing clouds the likelihood of anyone actually taking charge and solving the problem.

We must get behind a strategic embrace of computer security or the Internet will keep breaking. It will take international public/private partnerships that we haven’t seen since the Marshall Plan.”

http://breakingdefense.com/2017/05/wannacry-worm-highlights-federal-industry-failures/

Defense Industry Execs Among Top-Paid Female CEOs

Standard
IBM CEO Virginia Rometty Getty Images

IBM CEO Virginia Rometty (Getty Images Bloomberg)

“General Dynamics and Lockheed Martin are among the top-paid female CEOs, according to a report by The Associated Press.

The study notes that the highest paid female CEO was Virginia Rometty at International Business Machines Corp. With an increase in pay of 63 percent, she was paid $32.3 million last year.

General Dynamics CEO Phebe Novakovic is fifth on the list. According to the study conducted by executive data firm Equilar and AP, she was paid $21.2 million last year — a 4 percent increase from 2015.

Companies who had filed proxy statements with federal regulators between Jan. 1 and April 30, 2016, were taken from the Standard & Poor’s 500 index for the study. Equilar and AP excluded any CEOs that were hired within the last two years, to exclude any sign-on bonuses, and added together their earnings including salary, bonuses, perks, stock option awards and any other compensations”

http://www.defensenews.com/articles/defense-industry-execs-among-top-paid-female-ceos

 

 

 

 

 

Fundamental Vulnerabilities in U.S. Computer Infrastructure

Standard

Weak Link Security

“NEW YORK TIMES” By 

“Last week’s cyberattacks have laid bare some fundamental vulnerabilities in our computer infrastructure and serve as a harbinger.

There’s a lot of good research into robust solutions, but the economic incentives are all misaligned. We need government to step in to create the market forces that will get us out of this mess.

None of this is welcome news to a government that prides itself on minimal intervention and maximal market forces, but national security is often an exception to this rule.

As devastating as the latest widespread ransomware attacks have been, it’s a problem with a solution. If your copy of Windows is relatively current and you’ve kept it updated, your laptop is immune. It’s only older unpatched systems on your computer that are vulnerable.

Patching is how the computer industry maintains security in the face of rampant internet insecurity. Microsoft, Apple and Google have teams of engineers who quickly write, test and distribute these patches, updates to the codes that fix vulnerabilities in software. Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly. It isn’t a perfect system, but it’s the best we have.

But it is a system that’s going to fail in the “internet of things”: everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don’t have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don’t even have the ability to be patched.

Fast forward five to 10 years, and the world is going to be filled with literally tens of billions of devices that hackers can attack. We’re going to see ransomware against our cars. Our digital video recorders and web cameras will be taken over by botnets. The data that these devices collect about us will be stolen and used to commit fraud. And we’re not going to be able to secure these devices.

Like every other instance of product safety, this problem will never be solved without considerable government involvement.

For years, I have been calling for more regulation to improve security in the face of this market failure. In the short term, the government can mandate that these devices have more secure default configurations and the ability to be patched. It can issue best-practice regulations for critical software and make software manufacturers liable for vulnerabilities. It’ll be expensive, but it will go a long way toward improved security.

But it won’t be enough to focus only on the devices, because these things are going to be around and on the internet much longer than the two to three years we use our phones and computers before we upgrade them. I expect to keep my car for 15 years, and my refrigerator for at least 20 years. Cities will expect the networks they’re putting in place to last at least that long. I don’t want to replace my digital thermostat ever again. Nor, if I ever need one, do I want a surgeon to ever have to go back in to replace my computerized heart defibrillator in order to fix a software bug.

No amount of regulation can force companies to maintain old products, and it certainly can’t prevent companies from going out of business. The future will contain billions of orphaned devices connected to the web that simply have no engineers able to patch them.

Imagine this: The company that made your internet-enabled door lock is long out of business. You have no way to secure yourself against the ransomware attack on that lock. Your only option, other than paying, and paying again when it’s reinfected, is to throw it away and buy a new one.

Ultimately, we will also need the network to block these attacks before they get to the devices, but there again the market will not fix the problem on its own. We need additional government intervention to mandate these sorts of solutions.”

Bruce Schneier, a fellow and lecturer at the Harvard Kennedy School, is the chief technology officer of the cybersecurity company Resilient. He blogs at Schneier on Security and is the author, most recently, of “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.”

 

General Services Administration Readies $300 to $5,000 “Bug Bounty” Program

Standard
bug bounty

Photo Credit: Nguyen Hung Vu via Flickr

“FIFTH DOMAIN CYBER”

“The GSA’s bug bounty platform would represent the first use of an ethical hacking program by a civilian agency in the federal government.

Bug bounty programs have been gaining steam in the federal government after the Department of Defense’s successful “Hack the Pentagon” and “Hack the Army” exercises in 2016.

The General Services Administration’s innovation arm, 18F, said the agency was edging closer to standing up its own bug bounty program after tapping a new provider for its reporting platform.

18F officials said in a May 11 blog post that GSA’s Technology Transformation Service had tapped HackerOne to provide its Software-as-a-Service bug-reporting platform.

The San Francisco-based company offers vulnerability coordination and platform services to reward ethical hackers to locate and report network security vulnerabilities.

GSA issued a solicitation for a bug bounty platform in January, calling for a SaaS to “allow TTS to manage and track issues across multiple public web applications, triage services for those reported vulnerabilities, disburse rewards for effective vulnerabilities and explain the reasons behind rejections,” and provide vulnerability, impact and monthly report services.

18F officials said that HackerOne would help set up bounties on “several TTS public-facing web applications” through its platform and will assess validity of the bug submissions.

The SaaS provider will then forward on the reports to active TTS components to correct the issues and the bug hunters will receive payouts running between $300 to $5,000.

TTS once the platform is in place, officials said they would look to extend it to most of its component websites and applications.”

http://fifthdomain.com/2017/05/12/gsa-readies-the-first-civilian-bug-bounty-program-with-new-platform/

 

Navigating Defense Department Cyber Rules

Standard

Cyber Rules

“NATIONAL DEFENSE MAGAZINE”

“Defense contractors by Dec. 31 are expected to provide “adequate security” to protect “covered defense information” using cyber safeguards.

Thousands of companies who sell directly to the Defense Department, and thousands more who sell to its suppliers, are or will be, subject to the rule.

This obligation arises from a Defense Acquisition Regulation System Supplement clause, “Network Penetration Reporting and Contracting For Cloud Services,” that was finalized last October and described in the National Institute of Standards and Technology (NIST) Special Publication 800-171.

The Pentagon is well-justified to seek improved cyber protection of sensitive but unclassified technical information. Hackers have exploited network vulnerabilities in the defense supply chain for the unauthorized exfiltration of valuable and sensitive defense information. Senior defense officials have expressed alarm at this persistent and pervasive economic espionage. 

Since 2013, the Defense Department has used acquisition regulations to protect controlled technical information significant to military or space. Other forms of information may not have direct military or space significance, but loss of confidentiality through a cyber breach can produce serious, even grave national injury. 

The Defense Department is the leader among federal agencies in using its contractual power to cause its vendors to improve their cybersecurity. The principal instruments are two contract clauses, DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” and DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Both were the subject of final rulemaking released Oct. 21.

Where the -7008 “compliance” clause is included in a solicitation, the offeror commits to implement the SP 800-171 safeguards by the end of this year. Defense Department contracts will include the -7012 “safeguards” clause, which defines the types of information that must be protected, informs contractors of their obligation to deliver “adequate security” using SP 800-171 controls, and obligates reporting to the department of cyber incidents.  

Every responsible defense supplier supports the objectives of these cyber DFARS rules. But the requirements are complex and are not currently well-understood. Outside of a few of the largest, dedicated military suppliers, many companies in the defense supply chain view these rules with a mix of doubt, concern and alarm. This recipe serves neither the interests of the Defense Department nor its industrial base.

A technology trade association, the IT Alliance for Public Sector, released a white paper that examines the Defense Acquisition Regulation System Supplement and other federal initiatives to protect controlled unclassified information. The goal was to assist both government and industry to find effective, practical and affordable means to implement the new cyber requirements. The paper examines these five areas: designation, scope, methods, adoption and compliance.

As for designation, the department should accept that it is responsible to identify and designate the covered defense information that contractors are obliged to protect. It should confirm that contractors only have to protect information that it has designated as covered, and that such obligations are only prospective — newly received information — and not retrospective.

In regards to “scope,” the Defense Department should revise the rule to clarify that contractors must protect information that it has identified as covered and provided to the contractor in the course of performance of a contract that is subject to the rule. The definition of “covered defense information” should be revised to remove confusing language that can be interpreted to require protection of “background” business information and other data that has only a remote nexus to a Defense Department contract.

The October 2016 revision now allows defense contractors to use external cloud service providers, where covered information is involved, only if those vendors meet the security requirements of FedRAMP Moderate “or equivalent.” The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

The regulation fails to explain what is meant by “or equivalent” and who decides. The Defense Department needs to explain what it expects from cloud services to satisfy SP 800-171 and the DFARS rules. A security overlay should be prepared by NIST to add cloud-specific controls. But it is unnecessary to impose the whole of the FedRAMP process and federal-specific controls on commercial cloud providers.

The Defense Department continues to depend on small business for many needs, and seeks their innovative ideas. The supplements are an obstacle and burden on smaller businesses, and yet security is just as important at the lower levels of the supply chain as at the top. The department can improve the ability of small business to implement the required security controls. Several specific recommendations are made as to how it can reach and assist the small business community. One recommendation is to make increased use of the NIST voluntary cybersecurity framework.

As far as compliance, contractors are required to represent that they will deliver “adequate security” and fully implement the SP 800-171 controls by the year-end deadline. The Defense Department needs to better inform its contractors how they can be confident their security measures will satisfy the requirements should they come under scrutiny following a cyber incident. The white paper explores different ways to create a safe harbor for compliance. A key component is contractor documentation of a system security plan, which was added as a 110th requirement to SP 800-171.        

The White Paper is available here. The Defense Department is hosting an industry day on the cyber DFARS, June 23 at the Mark Center in Alexandria, Virginia. Information and registration details available here. ”     

http://www.nationaldefensemagazine.org/articles/2017/4/21/navigating-defense-department-cyber-rules

4 Ways to Protect Against the Very Real Threat of Ransomware

Standard
ransomware-495934588-s

“Getty Images”

“WIRED”

“You’re still largely on your own when it comes to fighting ransomware attacks, which hackers use to encrypt your computer or critical files until you pay a ransom to unlock them.

Ransomware is a multi-million-dollar crime operation that strikes everyone from hospitals to police departments to online casinos.

It’s such a profitable scheme that experts say traditional cyberthieves are abandoning their old ways of making money—stealing credit card numbers and bank account credentials—in favor of ransomware.

You could choose to cave and pay, as many victims do. Last year, for example, the FBI says victims who reported attacks to the Bureau enriched cyber extortionists’ coffers by $24 million. But even if you’ve backed up your data in a safe place and choose not to pay the ransom, this doesn’t mean an attack won’t cost you. Victims of the CryptoWall ransomware, for example, have suffered an estimated $325 million in damages since that strain of ransomware was discovered in January 2015, according to the Cyber Threat Alliance (.pdf). The damages include the cost of disinfecting machines and restoring backup data—which can take days or weeks depending on the organization.

But don’t fear—you aren’t totally at the mercy of hackers. If you’re at risk for a ransomware attack, there are simple steps you can take to protect yourself and your business. Here’s what you should do.

First of All, Who Are Ransomware’s Prime Targets?

Any company or organization that depends on daily access to critical data—and can’t afford to lose access to it during the time it would take to respond to an attack—should be most worried about ransomware. That means banks, hospitals, Congress, police departments, and airlines and airports should all be on guard. But any large corporation or government agency is also at risk, including critical infrastructure, to a degree. Ransomware, for example, could affect the Windows systems that power and water plants use to monitor and configure operations, says Robert M. Lee, CEO at critical infrastructure security firm Dragos Security. The slightly relieving news is that ransomware, or at least the variants we know about to date, wouldn’t be able to infect the industrial control systems that actually run critical operations.

“Just because the Windows systems are gone, doesn’t mean the power just goes down,” he told WIRED. “[But] it could lock out operators from viewing or controlling the process.” In some industries that are heavily regulated, such as the nuclear power industry, this is enough to send a plant into automated shutdown, as regulations require when workers lose sight of operations.

Individual users are also at risk of ransomware attacks against home computers, and some of the suggestions below will apply to you as well, if you’re in that category.

1. Back Up, as Big Sean Says

The best defense against ransomware is to outwit attackers by not being vulnerable to their threats in the first place. This means backing up important data daily, so that even if your computers and servers get locked, you won’t be forced to pay to see your data again.

“More than 5,000 customers have called us for help with ransomware attacks in the last 12 months,” says Chris Doggett, senior vice president at Carbonite, which provides cloud backup services for individuals and small businesses. One health care customer lost access to 14 years of files, he says, and a community organization lost access to 170,000 files in an attack, but both had backed up their data to the cloud so they didn’t have to pay a ransom.

Some ransomware attackers search out backup systems to encrypt and lock, too, by first gaining entry to desktop systems and then manually working their way through a network to get to servers. So if you don’t back up to the cloud and instead backup to a local storage device or server, these should be offline and not directly connected to desktop systems where the ransomware or attacker can reach them.

“A lot of people store their documents in network shares,” says Anup Ghosh, CEO of security firm Invincea. “But network shares are as at risk as your desktop system in a ransomware infection. If the backups are done offline, and the backup is not reachable from the machine that is infected, then you’re fine.”

The same is true if you do your own machine backups with an external hard drive. Those drives should only be connected to a machine when doing backups, then disconnected. “If your backup drive is connected to the device at the time the ransomware runs, then it would also get encrypted,” he notes.

Backups won’t necessarily make a ransomware attack painless, however, since it can take a week or more to restore data, during which business operations may be impaired or halted.

“We’ve seen hospitals elect to pay the ransom because lives are on the line and presumably the downtime that was associated, even if they had the ability to recover, was not considered acceptable,” says Doggett.

2. Just Say No—To Suspicious Emails and Links

The primary method of infecting victims with ransomware involves every hacker’s favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. The recent ransomware attacks targeting Congressional members prompted the House IT staff to temporarily block access to Yahoo email accounts, which apparently were the accounts the attackers were phishing.

But ransomware hackers have also adopted another highly successful method—malvertising—which involves compromising an advertiser’s network by embedding malware in ads that get delivered through web sites you know and trust, such as the malvertising attacks that recently struck the New York Times and BBC. Ad blockers are one way to block malicious ads, patching known browser security holes will also thwart some malvertising.

When it comes to phishing attacks, experts are divided about the effectiveness of user training to educate workers on how to spot such attacks and right-click on email attachments to scan them for malware before opening. But with good training, “you can actually truly get a dramatic decrease in click-happy employees,” says Stu Sjouwerman, CEO of KnowBe4, which does security awareness training for companies. “You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.” He says with awareness training he’s seen the number of workers clicking on phishing attacks drop from 15.9 percent to just 1.2 percent in some companies.

Doggett agrees that user training has a role to play in stopping ransomware.

“I see far too many people who don’t know the security 101 basics or simply don’t choose to follow them,” says Doggett. “So the IT department or security folks have a very significant role to play [to educate users].”

3. Patch and Block

But users should never be considered the stop-gap for infections, Ghosh says. “Users will open attachments, they will visit sites that are infected, and when that happens, you just need to make sure that your security technology protects you,” he says.

His stance isn’t surprising, since his company sells an end-point security product designed to protect desktop systems from infection. The product, called X, uses deep learning to detect ransomware and other malware, and Ghosh says a recent test of his product blocked 100 percent of attacks from 64 malicious web sites.

But no security product is infallible—otherwise individuals and businesses wouldn’t be getting hit with so much ransomware and other malware these days. That’s why companies should take other standard security measures to protect themselves, such as patching software security holes to prevent malicious software from exploiting them to infect systems.

“In web attacks, they’re exploiting vulnerabilities in your third-party plug-ins—Java and Flash—so obviously keeping those up to date is helpful,” Ghosh says.

Whitelisting software applications running on machines is another way Sjouwerman says you can resist attacks, since the lists won’t let your computer install anything that’s not already approved. Administrators first scan a machine to note the legitimate applications running on it, then configure it to prevent any other executable files from running or installing.

Other methods network administrators can use include limiting systems’ permissions to prevent malware from installing on systems without an administrator’s password. Administrators can also segment access to critical data using redundant servers. Rather than letting thousands of employees access files on a single server, they can break employees into smaller groups, so that if one server gets locked by ransomware, it won’t affect everyone. This tactic also forces attackers to locate and lock down more servers to make their assault effective.

4. Got an Infection? Disconnect

When MedStar Health got hit with ransomware earlier this year, administrators immediately shut down most of the organization’s network operations to prevent the infection from spreading. Sjouwerman, whose firm distributes a 20-page “hostage manual” (.pdf) on how to prevent and respond to ransomware, says that not only should administrators disconnect infected systems from the corporate network, they should also disable Wi-Fi and Bluetooth on machines to prevent the malware from spreading to other machines via those methods.

After that, victims should determine what strain of ransomware infected them. If it’s a known variant, anti-virus companies like Kaspersky Lab may have decryptors/a> to help unlock files or bypass the lock without paying a ransom, depending on the quality of encryption method the attackers used.

But if you haven’t backed up your data and can’t find a method to get around the encryption, your only option to get access to your data is to pay the ransom. Although the FBI recommends not paying, Ghosh says he understands the impulse.

“In traditional hacks, there is no pain for the user, and people move on,” he says. But ransomware can immediately bring business operations to a halt. And in the case of individual victims who can’t access family photos and other personal files when home systems get hit, “the pain involved with that is so off the charts…. As security people, it’s easy to say no [to paying]. Why would you feed the engine that’s going to drive more ransomware attacks? But … it’s kind of hard to tell someone don’t pay the money, because you’re not in their shoes.”

https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/

 

Military’s Health Records Maze

Standard

 

VA Records Maze

“MILITARY TIMES”

“More than $1 billion has been invested in medical record interoperability in recent years but with mixed results.

Veterans Affairs Secretary David Shulkin said he is open to adopting the new military electronic health record system for his department but stopped short of promising that will happen this summer.

“We’re exploring all options,” Shulkin told members of the House Appropriations Committee on Wednesday. “It’s a highly complex issue … if there was an easy solution here, it would have been made already.”

The comments came in response to criticism from lawmakers related to the ongoing health records saga, a point of tension for the departments for decades.

“We’ve been giving you all a lot of money, and it’s not fixed,” said Rep. Tom Rooney, R-Fla. “You could be the best VA secretary of all time if you solved this one problem.”

At issue is the seamless medical transition of active-duty troops and reservists to VA care. Veterans have long lamented missing records, repeated exams and frustrating inefficiencies with the dueling department systems.

Last year, defense and VA officials certified that their Joint Legacy Viewer now allows physicians in both departments to share and read those critical health records, eliminating many of those problems.

But the separate back-end systems still prevent VA doctors from editing or updating veterans’ old military records, and vice versa. Shulkin acknowledged that “it is not the complete interoperability we would hope for.”

Earlier this year, officials with the Military Health System announced plans to shift to the new GENESIS system for all personal military health records, allowing easier access for both patients and doctors.

Shulkin said he hopes to settle on a similar new system for VA this summer. He said a number of factors will go into that decision, including long-term viability of the new system, ease of transferability from old systems and interoperability with defense records.

But VA officials have long been resistant to simply adopting the same IT systems as the military because of specific agency needs. Lawmakers pushed Shulkin to break that trend, but he would not commit to any system at the hearing.

He did say that “VA needs to get out of the software development business” and will be looking for more private sector “off-the-shelf” options for health record systems, to minimize the workload of maintaining any future health records systems.

“It’s not an easy project in a single hospital, much less a whole system the size of VA,” he said.

Shulkin’ appearance before the committee was billed as a conversation about next year’s budget request, but so far only a few details of that plan have been released publicly. A full budget is expected to be released by White House officials later this month.

The department would see a 6 percent boost in programming funds under the “skinny budget” outlined by President Trump, one of only a few federal agencies looking at a funding boost under his plan.

Committee members told Shulkin to expect many more questions about the health records issue after the fiscal 2018 specifics are released”

http://www.militarytimes.com/articles/va-dod-health-records-2017-search