Year: 2018

The most prominent data security events of 2017, such as WannaCry and Equifax, were direct results of poor patching practices. Now, 2018 is off to a menacing start with disclosure of two hardware vulnerabilities affecting most modern microprocessors and requiring a number of patches on several levels of defenses.

To clarify, Meltdown is a vulnerability that allows core system memory access by any user process, while Spectre allows an unprivileged application to access the memory space of others.

What can happen? In simplest terms, one program executed on your computer can gain access to data that belongs to other users or utilize the operating system to access data, including passwords and personal data. What is affected? Most personal computers, servers and mobile devices. What can we do about this? The simple answer: patch everything that is affected, including BIOS, OS and browsers.

If everything seems to be simple, why is this a such a big problem? The answer is not so simplistic. As far as the scope, possible vectors of attack and potential ramifications, these two vulnerabilities present perhaps the largest impact to our computer systems and networks that we have seen in a very long time.

Let’s start with the fact that it is likely that every computer and mobile device in your infrastructure is somehow affected, along with a significant number of IoT devices. Arguably, your shared environments (such as Citrix) present the greatest vulnerability, as these systems are designed for multiple users and the core design is a secure segregation between user resources.

Let’s consider the work of many of us in the security community. We need to identify all the systems and software that must be patched, test the patches, implement them and deal with “side effects.” This includes legacy systems, as the vulnerabilities include microprocessors manufactured all the way back to 1995.

Today, while there are challenges with some patches that introduce processing slowness and compatibility issues, not patching is not an option. We learned our lessons with the 2017 NotPetya ransomware, where the compromise of only one unpatched system would begin infecting the rest of the adjacent network devices.

As of now, there are no known mass exploitations of these vulnerabilities, but it is not because the hackers discounted these issues as “unexploitable.” In the world of hackers, exploitation of a vulnerability is only part of the equation. First, you must have a reliable distribution vector for the malware. Can an exploit be distributed in an email, on malicious sites or through other means to facilitate infection?

After malware is allowed to execute its exploit, it must deploy a malicious payload – a set of instructions of what to do next. Sometimes, it is an instruction set to allow victim system interaction with a Command & Control server, or it is simply used to deploy ransomware. At this stage, there must be a lot of consideration to bypass typical security controls such as anti-virus, IPS and other safety tools.

Lastly, there must be a mass monetization component – for ransomware, it is a setup to ask for a ransom, receive payments, release the encryption keys; in other cases, to facilitate data identification and exfiltration. None of these tasks are simple for the hackers and they can rarely be accomplished by a single person. Thus, nearly a month after the world became aware of the microprocessor vulnerabilities, there is still no mass exploitation.

Today on the dark web, the most common relevant conversation is not about abuse of Meltdown or Spectre. The most entrepreneurial hackers want to know if there are similar vulnerabilities in microprocessors that are not discovered and patched. Hacker bounties for these zero-day bugs are astronomical, and for good reason. No matter how good your system security is, if there is a fundamental hardware flaw, almost nothing will stop hackers from exploiting it on any vulnerable target of their choice.

Meanwhile, as hackers are regrouping and fantasizing about the unexploited data caches, let’s keep diligently patching and hope that the next vulnerability or wave of exploitation will not be brutal.

Alex Holden, President and CISO, Hold Security, LLC

[ISACA Now Blog]

News of medical device security flaws are increasingly in the news. Consider the announcement from the U.S. Food & Drug Administration last year about a flaw in one model of a St. Jude Medical implantable pacemaker. This was subsequently covered in more than 14,000 published reports to date. Thirty-four different individuals sent me a message soon after the news broke, asking if I had heard about the approximately 750,000 pacemakers of this specific model that had significant security vulnerabilities. Many reports about other types of wirelessly connected medical device flaws occurred prior to that, and more have been reported in the few months since.

Medical devices are integral parts of hospital networks
According to various estimates from research organizations – and healthcare CISOs I chatted with at the Detroit SecureWorld event last fall, where I delivered a keynote about medical devices – anywhere from 30-70% of medical devices within hospitals and clinics are smart”… digitally connected to smartphones, the internet, clinic networks, directly to other devices, etc. These large numbers of medical devices attached to healthcare networks increase the possibilities for a wide range of security and privacy incidents to occur through exploiting their vulnerabilities – especially from and through the medical devices that have no legitimate security controls engineered within them.

Security and privacy incidents can occur due to various factors, such as:

• Malicious outsider intent – hackers who use such things as ransomware, DDoS bots and other malware to shut down and disrupt network availability, exfiltrate and/or modify data, delete data, etc.
• Malicious insider intent – inappropriately accessing patient data, using patient data for identity fraud and other crimes, selling patient data to criminals, etc.
• Mistakes – input errors, programming errors, accidentally opening access to unauthorized individuals, etc.
• Unintended consequences resulting from lack of planning – attaching smart medical devices to the network that the anti-malware software views as malicious, and subsequently shuts off, creating a denial of service as a result of data volume going beyond bandwidth capabilities, etc.
• Lack of personnel information security and privacy awareness, which can lead to all the previous examples, in addition to knowingly taking actions that result in privacy breaches, data modification, patient harm, etc.

Security complexity requires multiple layers of controls
Some changes to medical devices can be done remotely. Some need to be done in proximity using near field communication (NFC) protocols. However, I’ve communicated with too many in the medical device industry who have expressed belief, or claimed, that using NFC is a 100% solution for security. When I asked upon three different occasions in 2017 about the security of their newly announced medical devices, representatives (IT security VPs/management) from each of three different large medical device manufacturers told me, “We use NFC, so security is not an issue.” When I explained that if medical devices attach via NFC to computers that are part of a network, then basically any other node on that network may be able to get to the medical device through that network connection, such as through control settings necessary for network functions, or through the use of discovery tools such as Shodan, each of the medical device representatives stopped communicating with me. Avoiding a security risk discussion does not solve the associated security risk.

Lack of planning and integrating with networks and systems can shut down medical devices, sometimes during operations. There have already been medical devices used for performing operations, such as heart procedures, that shut down as a result of an anti-virus scan. Or, the time a nurse tried charging her cellphone using the USB port in an anesthesia machine; it shut down the machine. I could provide a hundred additional examples. If medical device manufacturers do not improve the security engineering of their medical devices, security incidents will increase, along with privacy breaches and patient harm.

Medical device security concerns are justified
Healthcare providers (doctors, nurses and surgeons) are concerned. Rightly so. Flawed devices negatively impact their ability to assure patients they are providing them with safe devices that will help, and not potentially harm, them.

Healthcare information security practitioners (CISOs, CIOs, VPs, managers, etc.) are concerned. And for good reason. Security flaws within medical devices create vulnerabilities to data and functioning not only within the devices themselves, but also to the networks to which they are attached, and other devices on the networks.

Healthcare IT auditors are concerned. And they should be. Insufficient medical device security controls are compliance violations for growing numbers of regulations, laws and contractual requirements, in addition to facilities’ own posted privacy and security notices, which contain promises to which they are legally bound.

Healthcare regulators are increasingly concerned. Justifiably so. They are accountable for ensuring information security and privacy regulations are followed. When regulators see more reports of medical device security flaws and vulnerabilities, they are going to become more proactive to pressure medical device-makers to improve security controls, and to pressure device users to ensure devices are implemented with appropriate security.

Patients are concerned. Of course. Their lives could be at stake.

Dedicate 2018 to improving medical device security
As Data Privacy Day approaches this Sunday, here’s a recommendation for those in the medical device space (manufacturers, engineers, and vendors). Make it a goal in 2018 to successfully establish effective and practical information security controls within your devices. Stop telling hospitals and clinics that it is not practical for you to do this. It is actually more practical, and will significantly improve security protections for those using medical devices, to build the security controls into the devices from the start. This idea is supported by not only those in the information security profession, but also by the FDA and other regulators.

This will not let healthcare data security practitioners off the hook. Even if medical device creators improve the security of their devices, healthcare IT and security practitioners will still need to remain diligent to ensure the security of those devices in how they are connected to their networks, the control settings to access them, and the management of the data that comes from them. But improved device security will support these efforts.

Establish your baseline for current levels of medical device security now. Then, in December of this year, determine if and where there have been improvements, or if data security, privacy and patient protections have actually degraded. It all depends upon where medical device companies decide to place their priorities.

Rebecca Herold, President, SIMBUS, LLC and CEO, The Privacy Professor®

[ISACA Now Blog]

Why is ISACA’s SheLeadsTech program needed?

Why does the 2030 Agenda for Sustainable Development consider the technology gender gap to be an important topic to address, and who must be involved in the solutions?

Where are we now?
Thematic focus and indicators are useful to understand the current situation. Factors such as access to education and training, Internet usage and salary comparisons provide some helpful context.

In the Organization for Economic Co-operation and Development (OECD) area, only 3% of graduatesin ICTs are women. This percentage could be balanced by job training and, in fact, OECD calculations show that 55% of women are engaged in on-the-job training.

The worldwide proportion of seats held by women in national parliaments grew from 13.3% in 2000 to 23.4% in 2017, according to UN data. On the other hand, in the business sector, less than one-third of senior- and middle-management positions were held by women in 2015.

According to The International Telecommunication Union (ITU), 53% of the world’s population was not using the Internet at the close of 2016. Women were more affected than men: global Internet penetration for men was 51% compared to 45% for women. Regional gender gaps were significant, ranging from 23% in Africa to 2% in the Americas.

In 2016, 84% of individuals in OECD countries were using the Internet, but this usage varied across OECD countries and among social groups. In 2016, Internet usage among women in OECD countries was significant (83%), but differences remained between young (96%) and elderly women (61%). In all OECD countries except the United States, the proportion of Internet users with tertiary education was above 90% in 2016, but there were wide differences among less educated people.

We all know women often earn significantly less than men, even after individual and required skills for the job are taken into consideration.  But this is different for ICT skills. According to OECD calculations, returns on ICT tasks are higher for women than for men (and this was a surprise to me). We can see positive trends if we analyze the percentage change in hourly wages for 10% increase in ICT task intensity. In fact, the difference between country percentage for female and male workers is positive or equal in a great proportion of analyzed countries.

Where do we want to be?
In 2015, the UN General Assembly adopted the 2030 Agenda for Sustainable Development as the agreed framework for international development. The agenda has a stand-alone goal on gender equality and the empowerment of women and girls (goal 5). There are gender equality targets in other goals, too. The 17 goals and 169 targets went into effect in 2016 and will guide the decisions takenover the next 15 years.

One of the paragraphs expresses where we want to be, or where we must be: “Realizing gender equality and the empowerment of women and girls will make a crucial contribution to progress across all the Goals and targets. The achievement of full human potential and of sustainable development is not possible if one half of humanity continues to be denied its full human rights and opportunities. Women and girls must enjoy equal access to quality education, economic resources and political participation as well as equal opportunities with men and boys for employment, leadership and decision-making at all levels . . . The systematic mainstreaming of a gender perspective in the implementation of the Agenda is crucial.”

How do we get there?
Education, participation and the use of technology are enablers for change.

The first step will be achieved if women’s full and effective participation and equal opportunities for leadership at all levels in all area of life are ensured and reforms are undertaken to give women equal rights to economic aspects.

Education is a must to achieve participation. Education is a human right. If this right is not protected, discrimination against women and girls will not end.

ISACA’s SheLeadsTech program is committed to prepare current and upcoming female leaders for the digital future through thought training and skills development programs.

Governments and members of society in general must approve and defend legislation for the promotion of gender equality and the empowerment of all women and girls.

The business community can strengthen recruitment, salary and promotion policies to ensure women are not treated differently just because they are women. The business community also can support programs such as ISACA’s SheLeadsTech to further the mission and help build global alliances.

Finally, as women and men, we can:

• Respect women in all situations and places, including social, business and familiar environments;
• Educate our daughters and sons in the same respectful environment; and
• Encourage female family members’ participation in ICT fields and in programs like ISACA’s SheLeadsTech, taking into consideration more than getting a better salary or managerial position. The real reason is more than this. It is all about a better future for all.

Editor’s note: An ISACA SheLeadsTech webinar on The Benefits of a Diverse Workforce will take place on 15 February.

Graciela Braga, Independent Advisor and Researcher, CGEIT, COBIT 5, CSX, CPA

[ISACA Now Blog]

The Cloud Security Alliance is launching the Application Containers and Microservices (ACM) Working Group. The CSA ACM Working Group previously work with the National Institute of Standards and Technology (NIST) ACM Working Group to provide research, guidance, and best practices for the secure use of application containers and microservices.

CSA is currently looking for volunteers interested in researching the security of application containers and microservices. The first meeting will be Jan 31 at 9am PT. Interested parties should register at https://cloudsecurityalliance.org/group/containerization/#_join.

Thank you in advance for your time and contributions.

[Cloud Security Alliance Research News]