We go into the hospital with a great deal of trust. We trust that doctors will help us and potentially even save our lives. Beyond hospitals, there are not many places in the world where we are willing to do anything we are asked: take off our clothes, talk about our sex lives, etc.
Recent cyberattacks, such as WannaCry and NotPetya, put this trust into question. An increasing number of cybersecurity incidents have impacted many hospitals and made them unsafe. Not only was patient information stolen and privacy impaired, but, in some cases, the cyberattacks interrupted normal operations and services. In hospitals, that could mean life or death.
Over the last decade, the healthcare industry made significant progress on digital transformation. Patients’ healthcare records are online, test results and images are digitized, an increasing number of medical devices are connected, and medical equipment can be remotely monitored and maintained. This technology has brought tremendous improvements in efficiency and convenience to medical staff and patients alike, while helping reduce human errors and lower operational costs. At the same time, however, this high level of connectivity has created a much larger surface area for security risks. Because there are so many connected devices and a large variety of different types of connected devices, it is becoming increasingly difficult to completely secure all of them at all times.
Hackers can not only use these devices as stepping stones to access critical assets, such as patients’ healthcare records, they also can compromise these devices to cause physical harm and put people’s lives at risk. For example, we demonstrated in our research lab that we can hack into an infusion pump from a leading vendor to change the dosage of the medication that is going directly into a patient’s body. This dosage change alone could be fatal to a patient.
Mid- to large-size hospitals use hundreds, if not thousands of third-party products and services. Even if the hospital itself is secured, these third-party vendors can bring in lots of vulnerabilities. Each of these third parties also uses many more other external vendors. If any of those external vendors is affected, there could be a domino effect on the hospital’s security – yet another reason it is extremely challenging to secure a hospital and all its IoT devices.
Is there a solution? In many ways, an IoT system is very similar to the human body – a large and complex system that is always on. Let’s use a heart attack as an analogy. We all know that a heart attack can be catastrophic. Although a heart attack usually happens suddenly, the conditions that make it likely actually take days, months or even years to build up. If we could continuously, automatically and intelligently monitor the heart and body, we could detect early signs of problems and take preventive actions to avoid the heart attack.
Doctors detect and cure diseases through their detailed knowledge of different parts of our body and their functionalities. Surprisingly, we don’t have similar information on IoT networks. Most hospitals we have talked to don’t have up-to-date information about what types of IoT devices they have, much less how many of these devices are connected onto their networks. So, IoT device visibility is the first task for each organization. At any given time, we need to know which devices are connected onto the network – plus, what they are supposed to do and not supposed to do – and conduct real-time monitoring of their behavior for early detection of potential cyberattacks.
Yet another challenge beyond the number and varied types of devices: these devices get on and off the network dynamically. How do we handle a highly dynamic system of such large scale? Obviously, manual monitoring is not feasible. The key is to leverage artificial intelligence (AI) to identify and monitor devices automatically, so that we can further protect them – and the hospital and its patients – in the event of a cyberattack.
In summary, visibility and AI are the keys for IoT security in healthcare.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Executive Summary
American Kingpin: The Epic Hunt for the Criminal Mastermind Behind the Silk Road doesn’t qualify as a “must read” for all cybersecurity professionals, but it is a very interesting and entertaining book. American Kingpin is about the rise and fall of the Dread Pirate Roberts (DPR), the criminal head of the notorious, illicit online marketplace, the Silk Road, where drugs, guns, and even human body parts were available for sale anonymously. At a deeper level, however, American Kingpinfollows two stories. First, it tracks Ross Ulbricht, a twenty-something libertarian who created the Silk Road, grew it from a cottage website to a multi-million-dollar illegal marketplace and transformed himself from naïve grad school dropout to criminal overlord DPR.
Additionally, American Kingpin follows the federal investigation, arrest, and conviction of DPR, weaving this thread throughout the entire book. Far from a highly organized federal investigation, the hunt for DPR begins by resembling a keystone cop’s episode as various individuals from different federal law enforcement agencies (DEA, DHS, FBI, IRS, etc.) jump on the case, buy drugs, arrest low-level dealers and drug buyers, and follow leads in pursuit of the Silk Road kingpin. Eventually, these individuals discover each other and cooperate on finding the Dread Pirate Roberts. While their collaboration leads to several dead ends, they eventually put their heads together, piece together all their individual breadcrumbs, and takedown DPR.
American Kingpin is well-researched and written in an easy-to-read style that grabs and holds on to the reader from start to finish. This book is highly entertaining as it exposes the cybercriminal underground and links it to an individual whom no one suspected of being anything other than a misguided young man. Despite not being a Canon candidate, I do highly recommend this book for those cybersecurity professionals interested in cybercrime, law enforcement, and an old-fashioned cops-and-robbers story.
Review
Like the last book I reviewed for the Cybersecurity Canon (The Dark Net), American Kingpin, doesn’t really qualify as a “must read” book for all cybersecurity professionals. Admittedly, you won’t enhance your skills or advance your career by reading this book. That said, cybersecurity isn’t about network packets, malicious code, and software vulnerabilities alone. No, cybersecurity also includes some basic philosophical and human issues around the use of technology as good versus evil. There is a fundamental question in what we do: Why do some people use their technical skills to breaking the law while others dedicate their lives to countering these threats?
American Kingpin explores this question by following Ross Ulbricht, a seemingly normal person who came up with the idea to create a website for selling illicit drugs online. Ross could have never imagined that this initial, misguided decision would lead to a multi-million-dollar organized criminal enterprise and an international manhunt. Ross’s relatively innocent website became the infamous Silk Road while Ross himself turned from happy-go-lucky twenty-something to the criminal Dread Pirate Roberts.
One of the things I really liked about American Kingpin is it is a book with two interwoven stories:
The picaresque story of Ross Ulbricht before, during, and after his fateful decision to develop and operate the Silk Road.
The story of a loosely coupled law enforcement posse that discovers and investigates the Silk Road website and the criminals behind it.
These two stories coalesce at the book’s conclusion as Ulbricht is discovered, arrested, tried, and sentenced.
Story #1 opens with young Ross with his family in his hometown of Austin, Texas. Ross seems like an average American kid – good home, boy scout, college graduate, etc. Ross is considered an exceptionally bright kid, albeit a bit quirky and disorganized.
As this story develops, we also learn a bit more about Ross when he enters graduate school. Ulbricht is a free spirit who participates in drum circles, lives a pauper’s existence, and wears the same clothes for days on end. Ross is also somewhat of a partier, drinking and smoking marijuana with close friends. Despite his outward Bohemian appearance, however, Ross is also highly intelligent and passionate in his opinions. He is especially committed to his politics, maintaining a strong libertarian belief system. At Penn State, he participates in political debates, always arguing that the government has no business getting involved in citizens’ private and personal life choices.
Soon, Ross leaves graduate school and moves back to Austin with his girlfriend. It is during this time frame that Ross rents a low-rent apartment for the express purpose of growing magic mushrooms. When Ross takes his girlfriend to see his mushroom farm, he tells her that he plans to create a website to sell these illicit goodies online. His timing is not accidental; it coincides with the right technology underpinnings for this type of endeavor: the emergence of Bitcoin, an anonymous crypto-currency and TOR (aka: the onion router), an internet browser and global network infrastructure that anonymizes user and source IP identities.
As a demonstration of Ross’s intelligence and perseverance, Ross teaches himself software coding and launches his new website. He names his website after an ancient network of trade routes that connected the East and West from the Korean peninsula and Japan to the Mediterranean Sea: the Silk Road.
Of course, Ross has no idea whether anyone will even notice the Silk Road, so he takes the time to find related chat sites and post marketing references to the Silk Road to get the word out. Much to his surprise, the site’s popularity grows, and Ross is contacted by others who also want to sell illegal drugs via Silk Road. Over a short time frame, the Silk Road grows exponentially as hundreds of vendors join and use the website as a dark web drug bazaar. Revenue also escalates. Ross can’t believe it when site sales climb into the thousands of dollars per month, but it doesn’t take long before these numbers rise to millions of dollars per month.
Ross realizes that he can’t possibly maintain the Silk Road by himself, so he recruits a group of like-minded participants to help with software development, enhance security, and perform various administrative tasks. As the Silk Road transformed from a mom-and-pop website to an online drug superstore, Ross Ulbricht decided he needed a criminal alias. One of his criminal co-conspirators suggested that he call himself the Dread Pirate Roberts (DPR), a fictional character from the movie, The Princess Bride. In this film, many different people assume the identity of DPR, adding to the intrigue and power of the character. Ross immediately realizes that this model could apply to his role in the Silk Road as well. He could become DPR himself and then pass the identity to others when he decided to move on and return to the real world.
Thus, the Dread Pirate Roberts was born and just like in the movie, the character assumes mythical and sinister reputation – a ruthless pirate who heads an international drug market and rules his kingdom with an iron fist. Henceforth, Ross behaves like a syndicated crime boss, punishing those who get in his way while plotting his eventual getaway when the law catches up with him.
The success of the Silk Road remained hidden until June 2011, when the site was featured in a Gawker blog, labeling the Silk Road as an underground version of Amazon.com. This article effectively put a bull’s-eye on the Silk Road, first with U.S. Senator Chuck Schumer, D-N.Y., and then with the federal law enforcement community.
This brings me to the second thread throughout American Kingpin: the federal investigation that leads authorities to capture and convict DPR. It’s well-known that Ross Ulbricht was arrested in October 2013 and was convicted in 2015, but the details of the federal investigation beyond this were relatively obscure. Nick Belton does a great job researching and describing how the actual investigation played out. Far from the well-organized endgame, in this case, the investigations began when various law enforcement officers in the DEA, DHS, FBI, and IRS learned about the Silk Road and pursued their own separate investigations. This wide-ranging cast of characters used their own methods, followed their own leads, and had no idea that anyone else in federal law enforcement was pursuing a parallel inquiry.
Eventually, these unaffiliated individuals come together as an interdepartmental unit, and each group brings its own puzzle pieces to the overall case. This collaboration eventually leads to a breakthrough, and, while federal law enforcement eventually gets its man, some within the law enforcement community are exposed as profiteers who used the investigation to pad their own pockets. Human triumph and tragedy coalesce.
It is worth noting that, aside from telling two exciting stories, the style of this book is also compelling. Many cybersecurity books require a reader with patience and perseverance, willing to peruse long chapters chock full of cryptic acronyms and technical details – not American Kingpin. I estimate that the longest chapter in this book is no more than seven pages. This writing style makes the book easy to read and hard to put down. I spent hours on this book and read the whole thing in just over four days.
Conclusion
Like the last book I reviewed (The Dark Net), American Kingpin does not meet the Cybersecurity Canon definition of a “must read” book for all cybersecurity professionals. Notwithstanding the Cybersecurity Canon definition, I highly recommend American Kingpin to cybersecurity professionals looking to better understand the culture and tactics of the cybercrime underground, and how law enforcement investigates, pursues, and eventually finds cybercriminals at large. American Kingpin was an extremely entertaining book and a true “page turner.” For those reasons, curious cybersecurity professionals should put this book high on their reading list.
The recent Global Risks Report by the World Economic Forum offers the latest evidence that cybersecurity is rising among the top global risks. Cyberattacks are now the global risk of highest concern to business leaders in advanced economies. This reflects the inability of enterprises to keep pace with today’s challenging threat landscape, and points to an urgent need for increased prioritization of and investment in cybersecurity by executive leadership.
While a cyberattack does not qualify as a natural disaster – one of the other top risks identified in the Global Risks Report – large-scale cyberattacks are capable of devastating critical infrastructure in similar fashion. A cyberattack has the potential to disrupt many of the most essential aspects of our lives, from electric, gas and water utilities to banking and cellphone coverage.
It is evident that the status quo will not be sufficient if we are to expect a reasonable level of security in both our personal and professional lives. Society and enterprises will need to focus on resilience, both technological and human. While contending with threats may be inevitable, our ability to recover cannot be undermined. We will need to build real and virtual firebreaks to ensure critical infrastructure elements do not fall due to the domino effect of a potential collapse.
Systemic challenges and threats require systemic solutions. Enterprises must focus not just on providing the next big app or solution to customers, but also on educating customers about potential threats and actions that can be taken to prevent or address them. In this context, it was encouraging to see the World Economic Forum announce plans for a new Global Centre for Cybersecurity. Deeper collaboration between the public and private sectors – while also tapping into the knowledge base of global industry associations such as ISACA – must be part of any substantive solutions going forward.
The increasing cybersecurity challenges that accompany the expanding threat landscape also call for the constant skilling and re-skilling of the technology workforce. Enterprises must be more committed to investing in real-world training for their security teams that takes into account the most up-to-date threats and vulnerabilities. Why is it so necessary to develop a more robust, highly skilled cybersecurity and tech governance workforce? Consider several realistic possibilities that I suspect we could encounter as 2018 progresses:
At least half the global population could become victims of privacy breaches;
The Internet of Things will become the Internet of Threats. Smart appliances will be used to take privacy attacks to the next level. Your television, your refrigerator and your connected toothbrush will know more about you than any other human can;
The rise of superintelligent threats, driven by AI and machine learning;
The potential for swarm attacks by drones;
The first bioengineered hack of the human body.
These, and other technology-driven stress points, are unprecedented challenges that demand proactive defense strategies. Disruptive technologies have the potential to power our global economy in many promising and innovative ways, but we must nurture new and more collaborative solutions to ensure these technologies are implemented effectively and securely.
While cybersecurity rising on the list of top global threats can not be construed as good news, at least the global community has begun to recognize the scope of the challenge. Now, it is time to pull together as a global community and meet this challenge together.
R.V. Raghu, CISA, CRISC, ISACA board director and director of Versatilist Consulting India Pvt. Ltd.
The purpose of the General Data Privacy Regulation (GDPR) is to harmonize the data privacy regulations that each European Union member state implemented to comply with GDPR’s predecessor. GDPR provides a single, comprehensive regulation that is compulsory for all organizations processing the personal data of individuals living within the European Union.
The regulation becomes enforceable on 25 May 2018, after a two-year grace period to allow organizations to implement GDPR. GDPR substantially increases data subjects’ rights – and with penalties of up to 4% of gross turnover, the regulation has the potential to fundamentally change the way organizations view and process personal data. That said, the purpose of this blog post is not to tell you what GDPR is, who it will impact, nor to pour more oil on the fear-mongering flames. Over the past two years, most of us have seen more than enough of these types of articles from privacy experts. I am writing today to introduce ISACA’s new GDPR guide.
Six months ago, ISACA brought together a team of information technology, information security, audit and data privacy professionals from around the world to help develop a guide that provides a pragmatic approach to implementing GDPR in organizations large and small. This guide provides a comprehensive introduction to GDPR, along with a plan to help organizations implement a data privacy program that complies with GDPR requirements.
The guide also includes the available information from the Article 29 Data Protection Working Party (WP 29), which provides clarification on various topics covered in the regulation. WP 29 guidance, where available, has been included within ISACA’s GDPR guide. At 100 pages, the guide can be easily read in a weekend. It will serve as a handy guide both during the implementation of your data privacy program, as well as a solid reference during your day-to day-activities.
The guide provides advice on topics such as identifying and classifying personal data, data governance, information security, managing compliance in your supply chain, data breaches, employee awareness and more. The guide also includes several annexes that provide specific recommendations to help practitioners implement an effective and efficient data privacy program. Annex 1 is divided into nine domains that cover 46 processes organizations should implement as part of their GDPR programs. Annex 2 provides guidance on how to set up and manage the Data Privacy Impact Assessment (DPIA) process. Annex 3 provides a sample personal data register that must be created, maintained and readily available in the event of an audit. Throughout the document, we have defined common data privacy terminology and included a glossary of terms that we suggest you ensure are correctly used within your organization to avoid confusion.
The ultimate purpose of the guide is not simply to help organizations become GDPR compliant, but also to ensure the privacy of real people. To this end, we stress that the comprehensiveness of your data privacy program should be based on the risk to the subjects’ data that you hold and not solely on the risk to your organization.
ISACA’s GDPR Working Group believes that implementing GDPR will not only reduce the risks to your organization, partners and customers, but also has the potential to improve the effectiveness of your organization through the implementation of sound policies and processes. Many of us on the working group are privacy practitioners who will use the guide to help implement GDPR in our organizations. This will allow us to see first-hand what worked well and what could be improved. Stay tuned to this space, as we will provide regular updates as we count down to 25 May. Once we’ve received sufficient feedback, we will review and update the guide. In the meantime, we hope this guide is beneficial to you and your organization.
Scott Rosenmeier, CISA, CISM, CRISC, CGEIT, CISSP-ISSMP/ISSAP, TUEV SUED certified DPO (Germany), Senior Manager, Information Security
Account takeover attacks are a nearly invisible tactic for conducting cyber espionage. Because these breaches can take months or years to detect, we are slowly discovering that this attack vector is much more common than we thought. The more we learn about new methodologies, the more we realize just how misunderstood account takeover attacks can be. Many of the common myths about account takeover attacks are making it easier for the attackers to continue undetected, which is why we feel obligated to debunk them.
What Is an Account Takeover Attack?
Account takeover is a strategy used by attackers to silently embed themselves within an organization to slowly gain additional access or infiltrate new organizations. While ransomware and other destructive attacks immediately make the headlines, a compromised account may remain undiscovered for months, years or not at all. (See the Verizon 2017 Data Breach Report graph.)
On average we find at least one compromised account in half of our new installs, oftentimes finding that they have been there for months. We hope this blog can provide a better understanding of how they work and how to defend against them.
Myth 1: I’ve installed the latest antivirus software. I’m safe.
Reality: Account takeover attacks seldom use malware or malicious links.
You may have the latest patches. You might have the latest URL filters. You might have installed an MTA mail gateway to scan every message. None of these, however, would have detected the most common attacks of 2017. Few, if any, used an attachment or malicious link. Instead they relied upon convincing a user to authorize an app or share credentials via an otherwise legitimate site. Account takeover attacks do not want to infect a desktop or steal a bank account’s routing number. They seek only to gain access to a legitimate user’s account for as long as possible. Step one in their methodology is to avoid detection by the most common tools.
Myth 2: We’ve all had security training. Attacks are obvious.
Reality: User training is not enough to defend against targeted attacks.
Everyone would like to believe that they are smart enough to notice an attack before they are compromised, but even the most vigilant user would miss the more recent strategies. A CISO once called user training an “attack signature that gets updated once a year.” While you may be able to identify the traits of an older method, new, more sophisticated techniques are developed every day. It is no longer enough to look for misspelled words or bad grammar. They are now highly personalized, well timed and sent in moderation. It is easy to forget that attackers read the same best practice documents you read, and use them as their checklist of things to evade.
Myth 3: An account takeover always starts with an email.
Reality: Attackers are starting to use other collaboration tools.
As organizations are moving away from email to Slack, Teams, and Chatter for internal collaboration, so are the attackers. Your employees are naturally wary of messages that come by email, but they seldom transfer that suspicion to internal messaging tools. While only 12 percent of employees might be likely to click on a malicious email, more than half would click on the same message when it arrives via internal Slack chat from a ‘trusted’ user. While there are dozens of tools to monitor and protect user email, these internal tools typically have no phishing or malware protection at all.
Myth 4: Account takeover always starts with a phishing message.
Reality: Hackers can get your credentials without a phishing attack.
Although phishing messages are the most common way for hackers to gain access to an account, they are far from the only method. Large, third-party data leaks like Yahoo and LinkedIn have created a market for hackers to exchange stolen passwords. Even Post-It Notes are not safe from online distribution. A breach might include passwords for one service that employees have re-used on corporate accounts. Even a breach that doesn’t include raw credentials might include the personal information (street address, high school, mother’s maiden name) that make it possible for attackers to gain temporary access by requesting a password change. The Equifax breach probably contains more personal information than the average person even knows about themself. Although anti-phishing security is important, it is only one part of the equation when it comes to defending against account takeover.
Myth 5: I would notice right away if my account was compromised.
Reality: Account takeovers are specifically designed to evade detection.
Although it may seem like you would have to be blind to not notice a second user in your email inbox, hackers have become incredibly adept at navigating and using compromised accounts without detection. Tactics like the alternate inbox method, in which the attacker uses hidden and unchecked trash folders as their inbox, can make even the most active attacker invisible to the account’s rightful owner. When your account is compromised, you will likely never notice anything out of the ordinary.
Myth 6: The hacker will log in from a suspicious location.
Reality: Hackers can appear to log in from anywhere.
If a hacker is regularly logging into your account, wouldn’t their location raise a flag? It is reasonable to assume that to detect a compromised account, you just need to keep an eye out for suspicious locations in your account history. Unfortunately, publicly available VPNS are an easy way to avoid this obvious giveaway. A competent hacker based in North Korea can appear to be from an IP address in your own town, looking as benign as a login from your local CoffeeCafe. If they’ve already compromised another victim, they could even stage their attack from a partner’s network.
Myth 7: Changing my password will get rid of them.
Reality: Hackers can continue to access your account without a password.
Many cyber-security best-practices guides will advise you to change your password if your account is compromised. The first step in most attacks, however, includes creating a secondary back door so they can avoid using the primary login. For example, they may install malicious cloud applications that provide full rights to the account. These API-based connections use their own, permanent tokens that must be individually revoked and often never get logged. Or they may create rules to forward and redirect messages through the account without the need to log in again. Even if you change your password or turn on multi-factor authentication within seconds of a breach, they may no longer have need of your password.
Myth 8: I’m not “important” enough to be valuable to an attacker.
Reality: Every employee’s account is useful to a hacker.
It can be comforting to think that cyber security is only a concern for executives or employees with high levels of access to sensitive company data. Typically, however, the initial account takeover breach is imprecise and opportunistic. The initial goal of the hacker is to simply get access to any internal account. Once they have access, they take advantage of internal trust relationships to move from employee to employee until they find the sensitive data they need. A user doesn’t need to be high up or have a high level of access to serve as a hub for a hacker to base their operations. In fact, lower level employees are often under less scrutiny and can serve as a better vessel to use and remain undetected.
Myth 9: Our company is not worth targeting.
Reality: Your company can be used to attack your customers and partners.
If your company has customers, their employees will likely trust yours. If your company has providers, it could serve as the attacker’s way in. Although the hacks of major financial institutions and Fortune 500 companies make the headlines, hundreds of small ‘invisible’ companies in niche industries are attacked every day. Because smaller companies typically do not have the security staff of the larger firms, they can be an easy path into a much more lucrative target.
