• Blink security cameras are currently available at extremely low prices, given their reputation.
• But Amazon cameras and video doorbells have a history of serious privacy concerns.
• Can Blink security cameras be hacked?

Amazon’s range of Blink home security cameras are at their all-time lowest prices, attracting new customers to these popular devices. These cameras are renowned for being cheaper than most of their competitors, but these latest price cuts take their affordability to a whole new level.

With competition on the home security camera market stronger than ever before, these price reductions seem to be a ploy to attract new customers. You could be forgiven for thinking the cameras must be low quality given their low prices, but Blink security cameras are renowned for being reliable wireless security devices with excellent battery life.

There must be a catch…right? Well, according to some reports, there are growing concerns regarding the privacy of these (and other) cloud connected devices.

Blink security cameras also come in the form of video doorbells, featuring HD video, motion detection, night vision, two-way audio, and local storage. There is also the option to subscribe to a cloud service storage if required. There is a downloadable Blink Home Monitor app, so homeowners can keep track of everything when they’re away. And, being Amazon, it’s no surprise that the cameras are compatible with Alexa. As Amazon says, “Blink and you’re home,” though we’re not sure what this slogan has to do with home security. According to some, a more appropriate slogan would be, “Blink and your data may be hijacked.”

READ NEXT

Will Amazon’s AI cameras improve driver safety – or are there privacy gaps?

Security vulnerabilities reported by some Blink users

There have been some reports of security issues with Blink cameras, but most have been swiftly dealt with by firmware updates by security researchers.

These vulnerabilities, though, have raised concerns, with some worrying their information and video footage could be hijacked. Then again, this is a concern with most security cameras, particularly those connected to the cloud.

When we look into Amazon’s history of security cameras, it seems the concern is warranted. Ring, another brand of security camera acquired by Amazon in 2018, has experienced a wide range of security and privacy problems over the last few years. And it’s not just the owner’s privacy at stake.

In 2021, Mr. Jon Woodard of the UK was told he had to pay his neighbor £100,000 after a court decided his Ring doorbell broke data laws and caused harassment. His neighbor felt she was under “continuous visual surveillance,” leading to the substantial claim. The lesson here is to never point your security camera at your neighbor’s bedroom.

Amazon has also had to pay out large settlements in Federal Trade Commission (FTC) settlements over Ring and Alexa privacy violations. Totaling $30 million, Amazon had to pay $5.8 million to settle with the FTC over Ring privacy violations and $25 million for Alexa privacy vulnerabilities.

READ NEXT

Amazon and Microsoft both fined millions for violating children’s data privacy

The FTC alleged that Ring gave third-party contractors access to customer videos, compromising customer private information. It was also alleged that fundamental security measures were not implemented by Ring to protect a user’s information from online threats, such as “brute force” attacks. One Ring employee is said to have watched thousands of videos of over 81 female users, who were identified through cameras designated for use in private or intimate settings.

Amazon acquired Blink almost a year before Ring, and, although Blink says is “is not in the business of selling [its] customers’ personal information to others,” it does collect data on users (it’s run by Amazon, after all).

The main question is this – can Blink cameras be hacked? Theoretically, yes – because these devices are wireless, they come with the risk of being hacked, as they can be accessed through the internet. The good news, though, is that there have been no official reports of this happening – yet.

Blink security cameras – are they more secure than Ring was?

The fact that Blink cameras have a local storage option means users don’t have to store videos on the cloud, providing better privacy than many other cloud-based security systems.

Further protection comes in the form of encryption. As Blink cameras typically stream footage using a wi-fi connection, Blink uses WPA2 wi-fi channels for encrypted streaming of videos, in the hope to prevent hacking through wireless devices. Information is further protected with Advanced Encryption Standard (AES), too.

As we mentioned, though, Blink security devices can still be hacked. A leading cybersecurity firm, Tenable Inc, experimented with the Blink ST2 model, finding several vulnerabilities and unsafe pathways within the wireless camera.

Such flaws could give a hacker access to the camera – and the live audio feed. Not only that, but Tenable Inc discovered hackers may also be able to hack other smart gadgets through a Blink camera. Out of the seven privacy issues, two were critical, including command injection flaws CVE-2019-3984 existing in Blink’s cloud communication endpoints, and CVE-2019-3989, existing in the device’s helper scripts. Amazon has responded to these privacy vulnerabilities, rectifying the severe security flaws.

READ NEXT

The Amazon device strategy to power your smart office

How a Blink security camera can be hacked

There have been no official reports of Blink cameras being hacked through the internet, but, like any loT device, they can be hacked either remotely or locally.

Blink cameras – too good to be true?

When hacked locally, the hacker gains access to the wireless network the camera utilizes, getting access to the local network. Sometimes, they will use a jammer to block the real network or use security breaches before using a fake network to get access to the camera. Fortunately, a hacker typically needs to be within close range, so this type of hacking is rare.

Remote hacking is the most common type with devices like Blink security cameras. A hacker will use a method known as “credential stuffing,” and scan for login details via data breaches or security gaps. From here, the hacker can view the camera password and username, spying on a camera without the owner’s knowledge. They may even change the camera’s settings, locking the owner out.

Blink cameras remain one of the most popular security devices out there, and Amazon’s recent price reductions may be a move to attract new customers, and move on from worries and threats of hacking.

The post Amazon’s Blink security cameras at their lowest prices – but how safe are they? appeared first on TechHQ.

• Cyberattacks on hospitals are on the rise.
• A Thanksgiving attack included a cancer center.
• Cyberattacks on hospitals are relatively easy, due to a mixture of legacy tech and staggered digital transformation.

Cyberattacks on hospitals have become an increased threat in recent years. Although the technology used in operating theaters is top of the range and carefully checked, over on the admin side, a combination of rushed digital transformation and legacy software leaves a huge attack surface wide open.

Happy Thanksgiving

On the morning of Thanksgiving 2023, Ardent Health Services took its services offline following a ransomware attack. That wasn’t the only cyberattack on a hospital: the Fred Hutchinson Cancer Center was also targeted by cybercriminals.

Although the attack on Ardent had instantaneous effect, the cyberattack on Fred Hutchinson didn’t immediately have clear implications. Teams noticed some “unauthorized activity” on “limited parts” of the healthcare system’s clinical network, according to Christina VerHeul, the organization’s associate vice president of communications.

In the immediate aftermath, VerHeul said “The reality is, we don’t know to what extent information has been obtained, nor any of the details of what that information is.”

READ NEXT

Trust enablement: AI risk alerts can deter fraudsters

The investigation ran on into this year and now the effects of the cyberattack on the hospital are being felt. The personal information of roughly 1 million patients was leaked, leading to email threats from hackers and escalating menacing messages.

Patients are receiving “swatting” threats and spam emails warning that unless a fee is paid, patients’ names, Social Security and phone numbers, medical history, lab results and insurance history will be sold to data brokers and on black markets.

Steve Bernd, a spokesperson for FBI Seattle, said last week there’s been no indication of any criminal swatting events, which occur when a bogus claim is made to law enforcement so that emergency response officers, like SWAT teams, show up at a person’s home.

Fred Hutchinson patient JM has been inundated with spam emails since the breach. In an email to the Seattle Times, he credits Fred Hutchinson with saving his life after his diagnosis of follicular lymphoma over 10 years ago.

How low can you go? Stealing data from cancer patients low?

“I have absolutely nothing bad to say about the facility and the providers in it,” JM wrote. “But this cyberhack has got me way spooked.”

That being said, the center’s communication efforts haven’t been up to scratch. JM hasn’t received direct responses to his requests for information about the data leak.

READ NEXT

Critical infrastructure and the cybersecurity threat – a UK perspective

Since the hack, Fred Hutchinson has sent notifications through MyChart to patients, posted updates on its online FAQ page, and mailed letters out to patients, said VerHeul. Apparently, investigations have revealed the breach accessed patient information between November 19^th and 25^th.

Cyberattacks on hospitals add stress to recovering patients

Cyberattacks on hospitals take different forms: when Ardent was hit, hospitals had to close to emergency patients, putting lives at risk. In the case of the Fred Hutchinson Center, all clinics remained open following the attack but patients have been the direct targets of bad actors.

The cyberattack primarily impacted clinical data of former and current Fred Hutchinson patients, although the information of some UW Medicine patients was also leaked, according to hospital leaders.

While many details about the breach are still under investigation, Fred Hutchinson has said it believes hackers “exploited a vulnerability” in a workspace software called Citrix that allowed them to gain access to its network.

The weakness is known as the “Citrix Bleed” and federal security teams say it allows threat actors to bypass password requirements and multifactor authentication measures.

Cybersecurity is rarely taken seriously in sectors that don’t consider themselves to be at risk; sensitive personal data managed by hospital systems should be treated more carefully, and that means investing.

The post Even more cyberattacks on hospitals! appeared first on TechHQ.

• House of Commons Committee declares UK at “high risk of catastrophic cyberattack.”
• Fractured legacy technology infrastructure and an evolving cyberthreat pinpointed as urgent issues.
• The issue will be dwarfed by the UK’s economic woes at the next election.

“Poor planning and a lack of investment.” According to the more acid-tongued political observers in the UK, that’s a judgment that could be applied to any number of areas of any current government. But there’s a difference between the judgment of media observers and the pronouncements of the UK’s Joint Committee on the National Security Strategy.

READ NEXT

Critical infrastructure and the cybersecurity threat – a UK perspective

The Committee, comprised of members of both the UK’s elected chamber (House of Commons) and its appointed chamber (House of Lords), has drawn attention to a paucity of both government funding and strategic planning for the cyber-safety of the nation, saying the country’s critical national infrastructure is “at high risk of a catastrophic cyberattack.”

Few in the House of Commons dare to use the word “catastrophic” without proof to back up the term. Doing so tends to be thought frivolous, and can end the career of any Chicken Little Member of Parliament (MP) who cries that the sky is falling in when it turns out not to be. It should be stated, however, that Committee pronouncements are commonly accepted to be a conduit through which more partisan language and thought might flow. The two chambers of the UK Parliament are traditionally more reticent.

The House of Commons Joint Committee on National Security Strategy has spoken.

The proof behind the Committee’s assertion is set out in its report. It acknowledges three significant factors that make the UK’s critical national infrastructure especially vulnerable, leaving a fourth unspoken but the province of observer gossip.

Vulnerability #1: fractured legacy technological layers.

Technology in the UK’s critical national infrastructure (CNI) is not only dependent on legacy equipment, but on layers of legacy equipment, some of which are not interoperable across departments, geographical sites or timeframes. That’s down to a lack of consistent funding and determination over time, meaning a large problem has been poorly addressed with piecemeal solutions.

The report explains that:

“• In the context of ‘ever-increasing digitalization of the UK’s CNI operations,’ many CNI operators are still operating outdated legacy systems. According to Thales, it is ‘not uncommon’ to find aging systems within CNI organizations with a long operational life, which are ‘not routinely updated, monitored or assessed.’ The increase in hybrid and remote working also brings additional risks.

• Legacy operational technology (OT) poses a particular challenge: digital transformation is resulting in these assets, which were ‘never designed with smart functionality in mind,’ being ‘overlayed with IT and hyperconnectivity.’ OT systems are ‘much more likely to include components that are 20-30 years old and/or use older software that is less secure and no longer supported”.

Thales is seeing ‘increased [threat actor] activity across all of the critical national infrastructure sectors,’ with a move towards attacks on certain types of OT. Reliance on digital systems also means that attacks against operators’ wider IT systems can force companies to shut down their OT—as in the case of the US Colonial Pipeline attack, in which the affected systems were responsible for corporate functions such as billing and accounting.’”

It is worth noting, however, that Thales is a long-standing government contractor tasked with both physical and cyber defense provision, so it will certainly have monetary skin in this game.

READ NEXT

Protecting critical infrastructure from cybersecurity threat – a UK perspective

As will surprise no one, the UK’s National Health Service (NHS) – a single nationwide healthcare provider for everything from antibiotics to brain surgery and ER-based trauma – was a source of particular despondency when it came to legacy technology vulnerability.

“• The NHS remains particularly vulnerable: healthcare is a ‘large and growing target across Europe,’ and the NHS operates a ‘vast estate of legacy infrastructure,’ including ‘IT systems that are out of support or have reached the end of their lifecycle.’ This puts it in a ‘particularly difficult position to protect itself from cyberattacks,’ despite the fact that many critical medical devices and equipment are now connected to the internet. Many hospitals lack the capacity to undertake even ‘simple upgrades’ as a result of crumbling IT services and a lack of investment.’”

The UK’s critical national infrastructure is at least partially decades out of date and out of warranty.

Vulnerability #2: the evolving nature of the threat.

While ransomware has been a significant threat to UK critical infrastructure for some time, the Committee’s report dwelled at length on the evolving nature of the cyberthreats the UK faces – especially as the evolution is happening faster than the technology underpinning critical infrastructure has can be refreshed in practical terms.

“Witnesses were almost unified on the changing nature of the threat, describing the evolution of a mature and complex ecosystem with a ‘cell-like architecture, akin to other forms of serious organised crime.’ Key developments include:

• The growth in ransomware-as-a-service (RaaS), in which an efficient division of labour has evolved. Typically, ‘initial access brokers’ will achieve the initial hack and sell the access onto ‘affiliates;’ ransomware operators will also sell a malware source code to affiliates (and might also negotiate with victims); and affiliates will then pay a service fee to ransomware operators for every collected ransom. These ‘groups’ of actors are connected in quite loose ways, making attribution of responsibility for attacks more difficult. This efficiency of specialization has increased the tempo of ransomware operations. It has also lowered the cost barrier to entry into ransomware, because less sophisticated criminal groups (affiliates) can purchase the required technology to conduct more advanced attacks. One witness described the typical threat actor now as ‘quicker, more agile and brazen.’
• Innovations in marketing, recruitment and communication: RaaS operatives are known to offer their services on a monthly subscription basis with optional extras, and have actively recruited affiliates. Groups operate on closed chatrooms to communicate with one another, and some even act like legitimate enterprises, establishing HR functions to coordinate their annual leave.
• A shift towards larger, higher-value targets (sometimes described as ‘big game hunting’), with threat actors developing more ‘sophisticated weaponry’ and achieving much larger ransom payouts.
• An increase in double or triple extortion methods, in which ransom demands are linked to threats to publish sensitive data online; in these cases, the data may be “exfiltrated” (removed) rather than encrypted. Organizations are thus held to ransom on the grounds of confidentiality (release of sensitive data), and not just availability (access to files). In triple extortion, the victim’s customers or suppliers may be threatened with the release of sensitive data if they do not pay a further ransom; a “premium subscription” might also be on sale—to the victim and others—in exchange for exclusive rights over the data.”

Vulnerability #3: geopolitics

The report, authored by members of both the House of Commons and the House of Lords, from across the political spectrum – cites external geopolitics as a factor in the UK’s particular vulnerability.

READ NEXT

clOp hits companies worldwide with massive MOVEit supply chain hack

“The National Cyber Security Centre’s (NCSC’s) 2022 Annual Review noted that most of the ransomware groups targeting the UK are ‘based in and around Russia,’ benefiting from ‘the tacit consent of the Russian State’;

• The NCSC’s Annual Review 2023 raised the same concerns but placed emphasis on the development of ‘a new place of cyber-adversary’ who are often ‘sympathetic to Russia’s further invasion of Ukraine and are ideologically, rather than financially, motivated.’
• In its written evidence to this inquiry, the Government stated with near certainty that ‘the deployment of the highest impact malware (including ransomware) affecting the UK remains concentrated mostly in Russia;’ and
• DXC Technology, a US IT company, told us that, of the ten most prolific and dangerous ransomware strains identified by the NCSC’s Ransomware Threat Assessment Model, eight are ‘likely based in Russia.’

According to RUSI, some of these groups are experienced in this evolving field of offending: in many cases, the same Russian actors were conducting ‘malware and botnet operations’ against UK financial institutions from 2010 onwards, and have subsequently ‘pivoted their business model’ towards ransomware operations. The lines between state activity and criminal groups are also blurred.

Prior to Putin’s full-scale 2022 invasion of Ukraine, it harbored an element of the ransomware threat: Jamie MacColl from RUSI commented that the ransomware ecosystem contained ‘multiple nationalities from former Soviet Union countries, including Ukraine.’ The NCA told us that it had worked with the Ukrainian Government in the past to investigate and arrest some of those offenders, but that the Ukrainian attackers had subsequently either gone to Russia or had ‘turned to attacking Russia,’ rather than the West. The impact of the war on cyberthreat levels overall appears mixed: a reported wave of cyberattacks against Ukraine encountered strong defences, and some downward global trends have been attributed to the war distracting Russian aggressors away from conducting ransomware attacks. It has also caused splits within ransomware groups, with members coming out for and against the Russian Government. This splintering may have made such groups even harder to disrupt.”

The intensification of pro-Russian hacking has an effect on the UK’s vulnerability.

The unspoken vulnerability.

While the report runs to a handful of pages on specific actions that should be taken to address the parlous state of the UK’s cybersecurity in critical national infrastructure, the unspoken vulnerability remains visible in the condemnation the report withholds for those two central weaknesses – a lack of funding, and a lack of planning.

To deliver on either of those things, a government has to be willing and able to focus on the widespread cyberthreat on the nation’s critical national infrastructure in the long term.

The government of the UK has been a revolving door for 7 years, with five Prime Ministers in that time.

The UK has had what is technically one government since 2010. During that time however, it has had no fewer than five Prime Ministers, all from the Conservative party. All but the first (David Cameron) have campaigned, won, and governed with a single central political goal – making a success out of the 2016 Brexit vote, which divorced the UK from the rest of the EU.

Until recently, delivering a successful post-Brexit reality has been the main concern of both the Home Office and the Foreign and Commonwealth Office, leaving little in the coffers for any fundamental revamp of cybersecurity across the UK’s critical national infrastructure.

Add the hugely negative economic impact of Brexit (a sudden lack of equal access to the UK’s closest economies, labor, and law) and you have a situation that has taken up the vast amount of government time, focus, and money.

It has also been a period of extraordinary upheaval – one of the Prime Ministers (Liz Truss) lasted just 44 days, having managed to cost the UK economy £30 bn single-handedly in little more than a day.

Obviously, there was the Covid pandemic, and the economic time-bomb of several extended national furloughs. A Parliamentary enquiry was ongoing, even as the Committee’s findings were hitting House of Commons printers, over the extent to which the Covid response by the UK government was mishandled.

Prime Minister Boris Johnson was forced to resign after it was discovered he had knowingly lied to both the House of Commons and the nation. Inflation soared, creating a cost of living crisis and forcing whole groups of workers to strike for decent wages – including several groups in the NHS.

The report warns amelioration could cost the country “tens of billions.” The UK needs a government that’s stable and focused on solving the cyberthreat problem long term, rather than delivering piecemeal solutions to parts of the infrastructure.

The cyberthreat question may have snuck up on the government over time – but the UK government has also never been stable enough in 13 years to tackle it effectively.

In the next 12 months, there will be a general election in the UK. The cybersecurity of the country’s critical national infrastructure is unlikely to be a front-line campaign issue in a country with underfunded schools, hospitals, and infrastructure, and an ailing economy where the gulf between rich and poor is the widest in the world (save the US).

It is to be hoped though that reports like that of the Joint Committee can at least make CNI cybersecurity a tangential priority of whichever party forms the next working majority in the House of Commons, and the country’s next government.

NB – this was five years ago, after the WannaCry attack. Nothing appears to have improved since then.

The post UK at high risk of catastrophic cyberattack appeared first on TechHQ.

• Healthcare cybersecurity is incredibly diverse and complex.
• A holistic approach is required to deliver consistent progress.
• Above all, comprehensive risk assessments are needed to give you your priorities for change.

Healthcare is increasingly suffering from cybersecurity threats, and both the slow pace of technological upgrading in healthcare, legacy systems, and often human reluctance to spend necessary cash on protecting the many systems that fit together to make healthcare work are exacerbating the threats.

In Part 1 of this article, we spoke with Deryck Mitchelson, Field CISO at Check Point Research and former CIO within the UK’s NHS Scotland, about just why it is that organizations frequently describe cybersecurity as a top-tier priority in healthcare, but then when it comes to spending actual investment money, the funding is never found.

Making the case for healthcare cybersecurity is tricky when front line staff are striking.

Towards the end of Part 1, we touched on a delicate subject – especially in the UK, where over the course of 2023, nurses, paramedics and “junior” doctors (anyone below an attending physician) have all had to go on strike to fight for decent wages after 13 (and counting) cost of living increases in a row.

The subject of funding priorities.

“Fund nurses, not analysts!”

THQ:

It’s always going to be awkward in a socialized medical setting, isn’t it – fighting for funding of technical or cyber-projects when front line medical staff are chronically underpaid?

DM:

Definitely. When you’re trying to get investment cases, it’s always going to be difficult, because I’ve never seen a headline in any national newspaper that says “Such-and-Such A Trust Has Invested More In Its Cyber-Program!” or “Trust Gets Two New SOC Analysts To Spot Security Breaches Shocker!”

THQ:

We’ve read sexier headlines, it’s true.

READ NEXT

Healthcare cybersecurity – show us the money!

DM:

Whereas “Another 100 nurses, and another five doctors,” that’s good PR, and good front line investment. People love good affecting headlines and soundbites, and healthcare trusts are no different. Besides, headlines and soundbites drive a lot of the investment that we see in organizations.

That’s why what we said in Part 1 matters. You have to make investment cases for healthcare cybersecurity in business terms, and in clinical terms, because boards understand those.

THQ:

Ironically enough, “Local Blood Bank Hacked, Supplies Ruined” kind of is a sexy headline, but it’s an obviously negative one.

DM:

Yeah. But ideally, you don’t always want to scare boards. You can talk about how healthcare cybersecurity investment can transform your health pathways and get people home faster, how some of the transformational ways we can use protected data and systems can actually allow for earlier diagnosis.

You can dangle things like the potential of AI to do some predictive diagnosis – if it’s protected – and so link clinical outcomes and positive business cases to the need for funding for cybersecurity in your healthcare setting.

You can’t have any of those positive outcomes without cybersecurity relentlessly underpinning your healthcare facility.

Healthcare cybersecurity – the broken record?

Right now in the UK, we tend to keep throwing more and more money into healthcare, and most of that money goes into frontline staffing. That tends to be the metric that we use, because there’s a belief that that really helps to drive down things like waiting lists.

And it does, but I think healthcare needs a bolder reset – from education all the way up, so that we really understand what good physical and mental health looks like.

Then, hopefully, you’d need to invest a lot less in healthcare remediation and treatment paths for people down the road.

THQ:

The irony of course is that our examples of a sexy negative healthcare headline – where there’s been a massive hack and a hospital is crippled, with all the patient care consequences that entails – would almost inevitably come with a long list of questions about why cybersecurity in the hospital was “allowed” to get so lax.

DM:

It’s like a broken record. You get a breach, hospitals are paralyzed, and then the PR people come out and say “It’s fine, we’re on top of this, we take your security really seriously. This is one of our top priorities.”

And then they say “No patient data has been breached.”

And then they say “There might be a small amount of patient data breached.”

And then “There’s actually quite a lot of patient data breached. But it’s data that was in the public domain anyway…”

READ NEXT

Medical devices – an unseen cybersecurity threat?

We rarely learn from that cycle of breaches. We get short term investment after one, and then, five to ten years later, we’re back at the same stage we were at before, because the investment and the energy runs out.

Healthcare cybersecurity – a preventative prescription.

THQ:

So what can healthcare organizations actually do to protect themselves, and the staff, and the systems, and the patients from the potential of a cybersecurity compromise?

DM:

The first thing is to start thinking about things tactically.

That’s a big problem within healthcare, you know? Stop looking at things and saying “If we buy that product, that’s going to solve our problems!”

Stop.

Think.

What you need to do is build a robust cybersecurity program that’s owned by the board, so that you get the strategy right.

The strategy should underpin everything, and focus on actually protecting healthcare outcomes from clinical risk.

Innovative approaches welcome!

Build up a robust strategy, get used to thinking that way, rather than in the short term, “Buy It Now” way that healthcare cybersecurity has traditionally been forced to adopt.

Then, start looking within that strategy with an eye to risk assessments, to understand the areas that look like they’ll actually make the biggest difference in the shortest time.

THQ:

Clinically advantageous, but also sexy headlines?

READ NEXT

Critical infrastructure and the cybersecurity threat – a UK perspective

DM:

You could say that. The thing is, those areas could be small things. It could be to do with the classification or categorization of data. It could be that some small, non-security things are currently not very good – but they’re easy to fix.

It could be things to do with the roles and privileges – identity and access management can be a surprisingly big problem with healthcare if, say, nobody removes someone’s access privileges when they leave. These are basic things – remote access to areas of the facility – when somebody comes into service equipment, where do they go? Do they get access to a segmented area, or do they get access to everything? You’re only going to find out through a risk assessment. That’s what lets you understand where you have the biggest concerns, issues, and weaknesses within your systems.

Healthcare cybersecurity – the state of the system.

THQ:

A kind of State of the System report, so you can generate a priorities list of things to tackle.

DM:

Exactly. You can’t tackle problems without a risk assessment to show you they’re problems – and how big or urgent they are compared to other problems.

The advantage of that type of approach is that it doesn’t just look at your perimeter controls, your network security. It also looks at your endpoints, your mobiles, your scanners, your IoT, your email, your cloud, your development code, your supply chain – it all needs to be looked at holistically.

How safe are your medical IoT devices? You’ll never know unless you run a risk assessment.

If you don’t look at it holistically, the nature of healthcare is so complex, with a myriad of legacy systems, brand new systems, the profusion of IoT and medical devices, you’re never going to see the wood for the trees.

Plus, if you look at the system holistically, as part of a program of improvement, you can continually risk assess and see whether or not you’re getting better. You can only judge that kind of result if you have that holistic view and you have a solid risk assessment going into the program, because that’s what gives you your baseline metrics.

Are you able to mature your cybersecurity posture? Can you start to do exercises that actually demonstrate that you’ve got fewer vulnerabilities than you had before? You can only do those things with that holistic approach and a risk assessment.

That’s where they need to start.

In Part 3 of this article, we’ll dive even deeper into the structure of healthcare cybersecurity, and its current vulnerabilities, to try to find additional remedies for the issues that could lead to major healthcare data breaches or ransomware attacks.

Time and healthcare – much, much more complex than people imagine. Which means you need a holistic approach to both if you’re ever going to get anywhere.

The post Healthcare cybersecurity – holistic medicine for healthcare systems? appeared first on TechHQ.

• The importance of healthcare cybersecurity is often downplayed or misunderstood.
• To get adequate funding, it’s important to frame healthcare cybersecurity conversations in terms of clinical risk.
• Healthcare organizations have incredibly flat cybersecurity surfaces.

Healthcare services are increasingly vulnerable to cyberattacks. New players, new – or at least newly tweaked – attack vectors, and new focus on always-present vulnerabilities are breaking down any ethical resistance on the part of bad actors to targeting places meant to be refuges and healing hubs for people who are not at their physical best.

If there’s a Hell, naturally, the bad actors who target healthcare facilities with cybersecurity vulnerabilitieswill undoubtedly roast there for eternity. But for organizations that take no comfort in the idea of delayed and metaphysical punishment, it’s important to stop the machinations of these wastes of skin in the here and now.

We re-connected with Deryck Mitchelson, Field CISO at Check Point Research, a cybersecurity specialist organization with many irons in the fire when it comes to stopping such cyberattacks on critical national infrastructure.

We spoke to Deryck specifically because as well as being a cybersecurity expert, he has history working for the UK’s NHS Scotland, and so has both a broad and a particular specialism in the field of healthcare cybersecurity.

We asked him why people were still, in 2023, targeting healthcare organizations.

READ NEXT

Medical devices – how do you mitigate their cybersecurity dangers?

THQ:

We’ve talked before about why the UK’s NHS is especially vulnerable to cyberattack, but it’s becoming a bigger thing in the US as well now. Where do we think healthcare cybersecurity sits on the urgency and vulnerability scales in terms of, for instance, governmental or organizational investment? In order of authorities’ spending priorities, where does protecting those critical infrastructures from cyberattack come?

Healthcare cybersecurity – a top priority?

DM:

If you ask anybody, they’ll tell you it’s a top three priority. Absolutely. Anyone senior in government, anyone senior in healthcare, they’ll tell you it’s a top three priority.

But it’s a check-box priority, not a real priority. The reason they say it’s a priority is because then it sits on the risk register. That means that they can talk to their boards and say, “Yep, somebody owns this as a priority.” However, if anybody then goes on to say we need a substantial uplift in investment for a multi-year healthcare cybersecurity program in order to do such and such, they don’t find the money.

That means it’s not a priority at all. Obviously, you always find the money for things that are real priorities.

THQ:

That’s more or less how you define real priorities, isn’t it? Things on which we must and do spend actual money?

DM:

Exactly. Healthcare cybersecurity is one of the few things that sits at the top of the risk register as a priority that doesn’t properly get funded.

So yeah – if it’s not getting properly funded, if it’s not getting the level of investment it needs, how can it actually be that level of priority? Because other things that sit around it, such as replacing equipment that’s at the end of its life, that gets investment money.

When they’re looking at filling any staff shortages, or changing the rotas, or doing any capital investment programs, those things get investment.

It’s a difficult one to complain about – I do know that those things provide frontline healthcare. But when I was in my role as a CIO, digital and cybersecurity were a big part of providing frontline care. You couldn’t provide frontline care without the digital and the cyber-services that enabled people to do so. You don’t get one without the other.

And that’s part of the problem – healthcare cybersecurity sits on risk registers, but it no longer gets looked at as having the same importance as frontline healthcare priorities.

Can you have modern healthcare without cybersecurity?

THQ:

You’d think that was obvious, wouldn’t you? You can have the smartest healthcare facility, but if your cybersecurity systems are vulnerable, you’re not able to provide proper, reliable care. It kind of takes you down the line almost to field hospital levels of treatment. Healthcare facilities have to be safe environments for both patients and their data – which is vital, day in, day out, to the business of providing healthcare.

M.A.S.H. – modern healthcare without cybersecurity.

DM:

Correct. Absolutely. Do you really want to climb into an MRI scanner if you don’t know it’s safe and patched? You’re climbing into a device that’s shooting you with low levels of radiation. If you’re really paranoid, and you start to think about it, and you know these devices aren’t getting the patches and the protection they need, then you’re going to be wary about getting into the machine.

YOU MIGHT LIKE

CYBERSECURITY

Can American Women Trust Their Healthcare Technology in a Post-Roe World?

You don’t see people debating these things very often, but I think they should do.

THQ:

We spoke to a company a little while ago that made exactly that point – things like MRI scanners and other medical devices act as fundamental weak points in the system, because they don’t have the sort of patching regimes that a) you’d think they would, and b) other, easier equipment in the system has.

DM:

Many of those devices are often running old versions of Windows. So most people wouldn’t even know where to start patching them. They’ve been bought, the manufacturers don’t have patching regimes, they don’t think of putting endpoints on them, because who thinks of putting anti-malware software on an MRI scanner? So it doesn’t happen.

They get left alone, but they’re on the network, particularly the more modern ones. They create hundreds of gigabytes of data on every single scan, and they’re on the network, they don’t sit siloed within the hospitals.

Everyone who has worked in a hospital or healthcare facility knows that the networks don’t have the greatest levels of segmentation and separation between IT systems, OT systems, medical systems. A lot of the networks are very flat.

The public – healthcare cybersecurity threat #1?

And then of course, 80% of hospitals are open to the public. The public walks anywhere in a hospital – what’s to stop them just sitting down where they can find the nearest ethernet port and plugging something in. Most hospitals aren’t running any kind of software that will actually find that device quickly and quarantine it. That is a flat network.

Hospitals provide healthcare. The basis of providing a point of care is that it’s all done on trust. Nobody has to show ID to get treatment (at least not in the UK). You don’t need your passport and driving license – being ill or needing help is your passport to care. Perhaps there’s a need to change to a slightly more secure and restricted model.

Medical devices – lifesavers, but outliers from a cybersecurity point of view.

READ NEXT

Critical infrastructure and the cybersecurity threat – a UK perspective

THQ:

Let’s take a step back. You say it’s a top three priority that never gets the funding it needs. Why does it never get the funding it needs? What makes it different in that respect? Why doesn’t anybody want to actually show us the money?!

DM:

There are a few reasons.

I don’t think the professionals whose job it is to demand the money do a great job of articulating the clinical risk that they’re managing. And boards and executives understand clinical risk. As far as healthcare goes, if they try and articulate this as a cyber-risk – “This is what it means if we get hit with ransomware or get a piece of malware in our system, or get some data that’s been exfiltrated out of the system…” the board struggles to understand what that actually means as far as impact is concerned.

Nobody understands healthcare cybersecurity cases.

Nice blood lab you have there. Be a shame if anything were to…happen to it…

I would always start with a clinical risk scenario. “If this happens, it probably means that some of the most critical systems are vulnerable, and you might have to take them offline to protect them. So things like lab systems, if they’re doing analysis of bloods, for example. You take those offline and that’s a lot of bloodwork not done, a lot of blood quietly coagulating into uselessness, a lot of people you then have to call and re-book, and create chains of delay to clinical outcomes.

That’s what that means.”

We need to do a much better job of articulating within healthcare and clinical risk what the cyber-risk actually means, and not talk about cybersecurity, because boards don’t understand it. It’s got to be talked about in business terms. People are not particularly good at talking in business terms when they’re dealing with healthcare and health outcomes.

THQ:

So how do we get better? How do we make that case in a way that makes boards and governments and the public wake up and go “Oh! That’s what that is!”

DM:

When I was in NHS Scotland, I made myself some strong allies, and the first one was the Chief Medical Officer. The Chief Medical Officer, although they tend not to hold the main budget, does hold huge sway over the prioritization of spend.

I spent a lot of time with CMOs to learn what their priorities were, so that I could best articulate what my priorities were, and make sure they understood how my priorities impacted upon their priorities and vice versa. We became quite a strong team that would go forward and make very strong cases for investment on digital security programs.

And I would often look for the CMO to actually be the executive sponsor, and what these programs did for me was to take my priorities away from seeming like a typical security and digital conversation, and make it sound like a business conversation, with the backing of the CMO.

In Part 2 of this article, we’ll look at the importance of going beyond headlines to improve healthcare cybersecurity, and how to win the necessary battles to keep healthcare a data-safe environment.

Healthcare cybersecurity – it’s a world of its own.

The post Healthcare cybersecurity – show us the money! appeared first on TechHQ.

• Companies need a “big red button” for their generative AI for day-to-day process maintenance and identity management.
• But a kill switch will also have value as part of a strong cybersecurity portfolio within the next few years.
• We need to retain control of generative AI, and a big red button helps us do that.

The more generative AI is rolled out into business applications around the world, the more essential it becomes that companies have access to a kill switch – a big red button, as it’s semi-comically called – they can use to stop the AI’s actions on their data or their other systems.

Partly because of the language – kill switch, big red button (frequently also used, equally incorrectly, to denote the “thing” that starts a nuclear war) – and partly because of decades of pop culture and science fiction that have fed us the idea of big red buttons meaning an absolute end to something – many people throughout the tech industry and the wider civilian world have come to imagine the big red button as a centralized final sanction.

You know… to be used when the machines rise up and kill us all. That kind of final reel terminator-squisher that fries the “brains” of the malevolent robots or computer systems that have risen up and determined that we humanoids are just a waste of skin.

Sam Altman of OpenAI, the company behind ChatGPT, the Optimus Prime of large language model generative AI, has acknowledged that, in the event of global catastrophic GenAI revolution, the company could absolutely shut down its server farms and data centers and effectively take its generative AI child down.

Those of you old enough to remember War Games (1983) will naturally find that deeply reassuring. Let alone those of you old enough to remember 2001: A Space Odyssey (1968).

But the crucial point is that companies are not in any sense confronting – or expecting to confront – such now overworn science fiction cliches as a global Skynet-style rise of the machines (Terminator, 1984). They’re confronting the possibility that the large language model generative AI they choose to use goes wrong in terms of the functions it performs – from training surgical robots to approving or refusing mortgage loans, to guiding a customer through a problem in a courteous way.

READ NEXT

The big red button: why we need an AI kill switch

If and when that happens, you don’t need to shut down the whole existence of your chosen generative AI, Altman off-switch style. The point is that you may not in any real sense need to permanently turn off the generative AI at your end, either – when your printer has a paper jam, you don’t blow up the printer.

You might want to, but you don’t. So the nature of a big red button in most business applications of generative AI is hugely removed from the science fictional and linguistically loaded idea we’re used to.

The more permanent alternative to a kill switch should remain strictly a fantasy.

In Part 1 of this article, we spoke to Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi (a company specializing in machine identity), to get an idea of why businesses might very well need a big red button for their generative AI – akin to similar real-world buttons on any piece of hardcore manufacturing machinery.

While we had him in the chair, we asked Kevin about the way the future could look as regards regulation and taxation of generative AI.

Regulation and the big red button.

THQ:

We’ve said that there are solid reasons why companies would want a big red button for their AI. And yes, we understand it’s not a real big red button, however much that depresses us and destroys our imagination. But are we moving towards an idea that companies might not be allowed to use generative AI without such a big red… erm… piece of disconnecting code?

KB:

It’s not impossible, because generative AI will be deployed in both life and death situations and life-changing decisions. We’ve said that certification of the models will be necessary, because if you go to a doctor or a lawyer, you want to know they have the skills to do the job, and AI will be the same – you’ll want to know it’s fit for purpose and properly trained.

When it comes to the big red button and the regulatory environment, it feels believable that companies will need not only to have a way of managing the identity of their LLM generative AI, but also a way of pausing, correcting, enabling and disabling the system, a big red –

THQ:

-Pressable thing, yes.

KB:

As we’ve said, we have big red buttons on practically everything in a business operation. Computers definitely have built-in kill switches, just like enterprise systems have built-in kill switches.

There are kill switches which dictate which code your machine’s allowed to run, either in your local computer or at the server. And a large language model is, in and of itself, just code.

So the kill switch is something we know well – we just have to apply it to new technology. And the fact that generative AI will be performing tasks at a high level, with a high level of impact, means it’s not impossible that regulation when it comes will demand particular standards of operation, which could include a kill switch.

With great power comes great responsibility.

THQ:

That’s the thing, isn’t it? The more responsibility we put on these systems, the more power we give them, and so the more controllable they need to be.

KB:

Yeah. And we’ve barely started. Today, you might use ChatGPT to write an email.

You might, as a developer, use it to write some code.

You might use it to enable an experience with a customer that’s the basis of your business. We’re really not at the point where it’s making decisions, taking actions on itself.

But that time is coming.

Businesses and boards are already planning how their operation will look in 2024, 2025, 2026, and the impact of generative AI is very much going into budgetary planning. It certainly is going into skills planning. Already, businesses are thinking “What are the skills that we’re going to need as we look forward? Do we need the same skills? The same people?” People are still important, but the questions fit in with the idea of a kill switch.

When do you press the button? And whose hand needs to be on it?

YOU MIGHT LIKE

CODING

ChatGPT and the downside of digital democracy

Who presses the big red button?

A business takes on an accountability risk running generative AI for high-level functions that used to be performed by people.

That is something that a machine in and of itself does not do. It doesn’t take on accountability and risk. That’s why we have people. That’s why we employ people, all the way from the managing director down to the frontline workers – accountability and risk. So generative AI can do amazing things, but ultimately, there still is going to have to be someone making a decision to ask whether the technology is doing what it’s supposed to be doing – and if it isn’t, they’ll have to press the kill switch.

THQ:

You’ve said that generative AI might do jobs that people used to do – so are the same people important as were important before the development of generative AI?

KB:

I can give you an example there. Recently, I’ve been talking to finance teams, who have been performing really complex financial analysis.

They’re using generative AI to write themselves sub-programs that make their lives easier, dealing with complex financial matters. In the past, if they wanted to build code that helped them overcome a problem with their daily work, they’d have to either talk to the IT team, or get really sophisticated quantitative analysts to build those sub-systems. Now they can do it at their desks and go about their day.

It’s empowering them to do their jobs faster, make better decisions. So that tells you the type of skills we need.

There are going to be a whole lot more coders, what we might have called in the past “developers,” but they’ll be actually employed in other primary roles.

It goes back to the idea that we really haven’t seen the impact of generative AI yet. And from a cybersecurity perspective, that means we haven’t seen what the risks are going to be yet either, or the controls that we’re going to have to put in place – like the kill switch.

A year from now, two years from now, we’re going to start to see the risks play out. From a cybersecurity perspective, the adversaries are already working – we’ve seen the LLMs they’re working on, WormGPT and others, and those will only get better.

READ NEXT

Data management specialist warns against data dangers of generative AI

We’ll start to see malicious LLMs that are supposed to be clean ones, and we’ll see standard LLMs that the bad actors will attempt to poison and tamper with. We know already that they’ll also try to steal whole models – which are likely to be the most valuable piece of business intelligence in future businesses. And they’ll try to hold them to ransom.

That’s a whole new level of accountability for chief security officers and security teams. Which gets us back to the idea of the kill switch. We need to have that ultimate sanction not just to readjust on a daily basis as new models need identity processing and permission to do or not do things. We need to be able to choose to use a model or not use it based on human decision-making.

We know, we KNOW it’s won’t look like this. But it should – for purely therapeutic reasons, if nothing else.

The kill switch, the big red button that isn’t, will also function as part of an accountability mechanism to deal with the cybersecurity threats of the next few years too.

Sometimes, you really need to not press the big red button. It’s a human-based judgment call.

The post AI, cybersecurity, and the role of the big red button appeared first on TechHQ.

• The MOVEit supply chain attack hit over 130 organizations worldwide.
• Distinct from ransomware, it advised affected companies to negotiate with the hackers.
• Could the hugely successful attack inspire others?

On June 8, 2023, we reported the beginnings of what could well become a record-breaking supply chain attack by the cybercrime group with the stupid name – cl0p.

The organization, rather than delivering a single, massive ransomware attack, with all the administration and tedium that can sometimes involve, went about its business in a rather more chaos-friendly manner. It pulled off – and then stayed silent about – a highly significant supply chain attack on the MOVEit software.

READ NEXT

clOp hits companies worldwide with massive MOVEit supply chain hack

That software, used in the Zellis payroll system among others, had a fairly simple role in life – it existed to facilitate what it now feels massively ironic to describe as secure file-sharing.

By the time news of the attack broke, several significant targets had been identified – particularly in the UK to begin with. The recently much-troubled BBC, the UK’s national broadcaster of record, was hit. So too was the UK’s “national airline,” British Airways, along with the Boots pharmacy chain, which has over 2,200 branches across the country.

Supply chain attack goes viral.

But it was immediately clear that the supply chain attack was going to be potentially much bigger than three high-profile UK-based targets.

As is often the case with supply chain attacks, even cl0p itself wasn’t entirely sure how far the extent of its success would run. That’s why, for instance, it issued no ransoms for the data it had amassed through infiltrating the MOVEit software.

There was so much of that data, it made more sense to simply let every organization that might have used the software within a given space of time know that their data might be among that which had been hacked, and encourage those organizations to get in touch with the hackers to negotiate what they thought was a suitable price not to have the data dumped like chum in the shark-infested waters of the dark web for anyone with a grudge or a get-rich-quick scheme to use.

Instructions, rather than ransoms, for the cl0p supply chain attack.

As of July 6, the supply chain attack was confirmed to have affected data belonging to at least 15 million individuals across 130 companies worldwide, including the likes of Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, Aer Lingus, PwC, Cognizant, and AbbVie, as well as law firms, Kirkland & Ellis and K&L Gates.

When a supply chain hack hits major companies like Shell, it’s big news.

The attack continued to grow in scope, with universities and student organizations confirming they’d been hit, from the University of Georgia (UGA), New York City Department of Education, and University System of Georgia (USG) to UnitedHealthcare Student Resources (UHSR), and Landal Greenparks.

And then, like ripples on a lake but nothing like so organized, it started affecting whole state governments and large networks, including the State of Missouri, the State of Illinois, the government of Novia Scotia, the American Board of Internal Medicine and Ireland’s Health and Safety Executive.

YOU MIGHT LIKE

BUSINESS INTELLIGENCE

From NHS to water supplier: Are nation-state hackers targeting critical infrastructures in the UK?

The US government versus supply chain attacks.

When it became clear that cl0p had captured data from US federal agencies, most notably the Department of Energy, the State Department stepped in, putting US$10 million on the table for anyone who could provide information that linked cl0p to a foreign government via its Rewards For Justice program.

Rewards for Justice – like the Justice League… but with bribes.

It remains as yet unclear quite how many victims have been affected by the cl0p supply chain attack, or how many have paid how much to stop their data appearing on the dark web.

Certainly though, cl0p has started releasing that collected data into the world – presumably from some among the many organizations that will have been advised not to pay a cent to the hackers.

But the known scale of the attack makes it likely to be one of the major data heists of recent, if not of all times, and it highlights the rise and rise of the supply chain attack as, if anything, a significantly worse headache even than targeted malware or ransomware.

The stealthy, effective theft of large swathes of data through a commonly used and previously trusted program, coupled with the almost anarchistic acceptance of chaotic results by the cybercriminals breaks down any sense of “the game” of cybercrime as it has traditionally been played on a more one-to-one basis in the past.

It’s also worth noting that Progress Software patched the MOVEit program as soon as it became aware of the intrusion by cl0p – but sadly by that point, enough damage had been done to facilitate this blockbuster movie-scale supply chain attack.

The vast attack surface of a supply chain.

We spoke to Bernard Montel, technical director of cyber-firm Tenable about the impact of the attack.

“Vulnerabilities are disclosed every day, with threat actors poised and ready to see if they can monetize the flaw. There are two elements to be considered when any new vulnerability is revealed – how complicated would it be for threat actors to use the flaw, and what is the likelihood that it will be exploited?

“The latter typically comes down to the level of adoption of the affected software – the more prevalent it is, the higher the likelihood of exploitation.

READ NEXT

Educate your boss about…”supply chain attacks”

“This latest flaw revealed by Progress Software is the perfect storm. An unauthenticated SQL injection flaw is easily exploited by threat actors with little technical know-how, providing bad actors with a number of options – from adding a field to a webpage to steal information from unsuspecting users filling in the ‘form,’ to tricking the application with an ‘sql query’ to disclose all the information in any back-end database. In this case the door is fully open for bad people to enter without being challenged.

“Instead of waiting to be attacked and then responding, it’s vital that security teams take a preventive approach to cyber-defence. The need to understand your attack surface and proactively manage risk to the business has never been more urgent.”

At the time of writing, it remains entirely possible that more victims of the MOVEit supply chain attack will be identified, and certainly the future of the stolen data remains uncertain.

But the effectiveness of the MOVEit supply chain attack suggests that it may usher in a new era, where such attacks are increasingly common – so managing the risk of your attack surface may become increasingly crucial in the next five years.

No, really – it’s huge.

The post Could cl0p’s MOVEit supply chain attack become a new normal? appeared first on TechHQ.

• Vulnerable medical devices can be detected by specialist tools.
• Visibility of the vulnerabilities is key to mitigation.
• Tools can save healthcare providers the worry of cyber-attack through medical devices.

Medical devices in healthcare settings are naturally among the most trusted, most widely-used pieces of medtech in the world.

As we learned when we spoke to Keith Christie-Smith, Strategic Accounts Director (Government, Healthcare & Defence) at Claroty, though, they’re also significant, and largely forgotten vectors for cyber-attack, as they frequently go a decade or more without security upgrades or patches, making them exactly the sort of weak spot that bad actors love.

In Part 1 of this article, we learned of the almost-Orwellian loop of logic that keeps medical devices in a healthcare setting from being upgraded, patched, or even largely scanned for vulnerabilities for large chunks of their lifetime.

In Part 2, we looked at the real vulnerability threats that unpatched medical devices can introduce – both in terms of ransomware of the medical devices themselves (potentially leading to misdiagnosis and deeply traumatizing consequences for patients) and of being an easy gateway for malware to get into hospital systems, and then move laterally, infecting more machines as it goes.

READ NEXT

Medical devices – a forgotten backdoor in medical cybersecurity?

The potential for vulnerabilities and the upgrade trap where vendors are reluctant to upgrade their medical devices in situ and health trusts (in the UK, where Claroty has been operating) being increasingly resource-challenged lead to a situation that can be seen as an ouroboros cybersecurity time bomb for healthcare managers. Until they’re able to prove there’s a cybersecurity threat, they can’t justify the outlay to get them patched for vulnerabilities. But by the time the vulnerabilities make themselves felt, it’s frequently too late.

We asked Keith if there was any good news in the world of medical devices – ever.

THQ:

We’ve said that in order to get a real map of potential vulnerabilities in medical devices, we need complete visibility of the devices and device states across x-region (say, a health trust).

How do we get that visibility?

And what do we do with the visibility once we have it?

KC-S:

You need a particular type of tool-.

THQ:

You’re going to tell us Claroty has just the tool we need, aren’t you?

KC-S:

I am, yes.

THQ:

OK, just so long as we do it commercial style – “other tools are available.”

Medical devices and the visibility cloak.

KC-S:

You need a tool (like ours) that can deliver both visibility and mitigation options over all assets, even devices connected via serial connection. (That’s a key use case that is unique to our tool, Medigate, that none of our competitors offer).

THQ:

Alright, alright – why is serial connection so crucial?

KC-S:

Because of the age of many of these devices. We said in Part 1 that many of these devices are in service much longer than your standard laptop or desktop lifetime. So many of these devices are still connected to the network in ways that feel practically prehistoric now. That means they’re connected using serial connections.

Having end-to-end visibility of all those assets is key – but if you can’t have visibility of devices connected by serial connections, chances are you’re not doing anything like the whole job.

In the case of our system, you deploy the platform, and within days, it populates automatically with all the assets you have.

In terms of what we do with visibility once we have it, that’s a thing we work with our clients on.

There are ways of profiling which are the highest risk devices, so you get visibility of that, but also which vulnerabilities are most critical. So we show the vulnerabilities that have actually been used in compromises in other parts of the world.

YOU MIGHT LIKE

MEDTECH

Medical devices – an unseen cybersecurity threat?

Medical devices and the prioritization principle.

Because if you just get a list of vulnerabilities, that’s great, but how do you prioritize 100 or 200 vulnerabilities? The best way of doing that is finding out where they’ve been used to compromise other devices in the world. And then you go and spend your time on those 10 or 15 vulnerabilities, because that’s where the biggest risk exists across your network.

If you’re going to have your medical devices compromised, chances are it’ll be the devices with those vulnerabilities that will become the initial attack vector.

Find the vulnerable medical devices? You’re going to need a special tool.

So ultimately, it’s the drilling down into the data that we provide within the platform that can show you where it’s best to spend your time – and that other highly-constrained resource in the UK’s NHS – your money.

Resource is always an issue within NHS trusts. Bottom line, it’s the public’s money, so trust managers have an absolute obligation to spend that resource as efficiently and effectively as possible.

We give them tools that can help them to do that. With our platform, it even shows if there are patches available that have been applied for the particular vulnerabilities their medical devised have – that’s an easy win for trust managers.

THQ:

Sure, being able to know which patch to use on what medical device would be an easy win for managers – but you have to have that visibility and that knowledge first.

KC-S:

Right. So with our platform, they can see “We’ve got 25 vulnerabilities, these 10 have been used in previous compromises, there are these patches available for those vulnerabilities.” Then they can export that information to the vendors, and get them to come and patch those particular medical devices with those particular patches.

That’s a huge chunk of managerial risk remediated, and it also saves the colossal cost impact of having to passively scan all medical devices in the trust first, then run a mitigation exercise.

The cost impacts of protecting medical devices.

THQ:

We were going to ask about cost impacts, but in another connection.

The UK’s NHS is national socialized healthcare, paid for on a model of payroll tax deduction. It’s literally, as well as sentimentally, “the people’s healthcare program.”

Medical device safety in the NHS has been a topic of concern.

Right now, it’s had a year of nurses having to strike, having not had a pay rise in the best part of a decade. Paramedics have struck on a similar basis. Now “junior” doctors (everybody beneath the level of consultant” are having to strike to survive. That’s the level of resource-constraint we’re talking about.

READ NEXT

Critical infrastructure and the cybersecurity threat – a UK perspective

So how do you go about persuading trusts that they need to commit resources to protecting the cybersecurity of their medical devices, when there are front-line care costs being consistently raised and questioned?

KC-S:

That’s an interesting question. From a mitigation perspective, we advocate to our NHS trusts by raising the fact that they’ll be using lots of disparate technologies. From an IT and cyber perspective, each of those technologies has an overhead. Each of those technologies and systems require management, a deployment configuration and the ongoing “feeding and watering” of these solutions.

By leveraging a single pane of glass solution that helps drive automation, and amalgamating lots of disparate solutions into that single pane of glass, you make things simpler and more effective.

That’s the key. That’s something we really need to drive home when we engage with trusts. A single pane of glass view, but we integrate with 66 different vendors today. We don’t just do that because we think it’s a good idea, we do that because it adds value. It adds value because we’re pulling in data feeds from those various different products that will be deployed across the trust.

But also, we’re driving automation through network access, control solutions, firewall solutions, endpoint detection and response, mobile device management, and other vulnerability management tools.

Once you know which medical devices are vulnerable, you can patch them.

So again, pulling all the metrics from those different products into a single pane of glass view gives trust managers a true risk picture and risk score, so the entire organization can know about any infected devices, where they sit on the network, and where they shouldn’t be on certain VLANs if they are.

Ultimately, through those integrations, we can automate remediation of vulnerabilities and threats.

That means, for instance, you can run a DSPT (Data Security and Protection Toolkit) report about your connected devices in seconds, because we have that visibility, we have those devices on the platform.

THQ:

Unlike the current honor system approach to those reports?

KC-S:

Right. And it frees up resources, so people can go and do things that add value from a care perspective, which is what the NHS is there to do, right? To help healthcare professionals deliver value from a care perspective, while cybersecurity gets taken care of by those who have the expertise the service deserves.

Get the right protection, and your assets will be safe.

The post Medical devices – how do you mitigate their cybersecurity dangers? appeared first on TechHQ.

• MOVEit is a file sharing app used in the Zellis payroll system.
• A supply chain hack targets one program used by multiple organizations.
• The true scale of this supply chain attack has yet to be determined.

Organizations worldwide have had their data – and their staff’s data – compromised in the largest supply chain hack of 2023, and possibly, the largest such hack ever on record.

A supply chain hack is an attack that, rather than aiming for a single target, usually with ransomware in mind, instead inserts malware into a commonly used app or piece of software used by many different organizations. A similar – but significantly smaller – attack was launched on the London stock market earlier this year.

READ NEXT

UK Minister warns of Russian hackers’ intent to “destroy Britain’s critical infrastructure”

This time, the attack comes from the Russian-based clOp cybercrime group, and has hit lots of organizations both large and small. Malware was inserted into Progress Software’s MOVEit product, which usually delivers a secure way of moving files around an organization.

In particular, the product was part of the Zellis system – a specialist payroll services provider, based in the UK.

A large scale supply chain attack.

That’s significant in two ways. Firstly, a lot of high-profile companies, especially within the UK, use Zellis for their payroll processing. Three that have already grabbed headlines are the BBC (the UK’s national broadcaster of record), British Airways, one of the country’s leading airlines, and the Boots pharmacy chain, with 2,200 branches in the UK alone.

Between them, those companies have been notified that the details of 100,000 members of staff have been compromised, and unless an agreement is reached, will be released onto the internet – allowing any hacker, spoofer, phisher or other bad actor to perpetuate the harm of the hack almost indefinitely.

The attack is not limited to those three companies, though. Aer Lingus, an Irish airline, the Government of Nova Scotia in Canada, and the University of Rochester, New York, have subsequently come forward to acknowledge that they too are victims of the clOp attack – and it’s fully expected that others will join them as the days go by.

What has become clear over the few days since news of the attack broke though is that the group may have pulled off a hack too large for it to handle.

In a standard ransomware attack, the hackers tend to nominate an initial ransom amount, and then there’s a process of either negotiation or stand-off until something happens to the data – either it’s exposed, or flushed, or returned, and either some amount of money is exchanged or it isn’t.

This is not strictly speaking a ransomware attack though – it’s more akin to demanding money with menaces.

clOp has written a blog to more or less any company that has been using Zellis for its payroll function, announcing that they (the companies) have seven days (until June 14) to contact the hackers to begin negotiation of a sum that will stop the group publishing the details of staff onto their own site.

Conflicting incentives.

The exact nature of the vulnerable data changes from victim to victim – the BBC said it understood that staff ID numbers, dates of birth, home addresses and national insurance numbers of its staff had been compromised, while British Airways warned its staff that some may also have had their bank details stolen.

YOU MIGHT LIKE

RANSOMWARE

Ransomware hits major London stock market software supplier

It’s details like this that make organizations with a concern for the welfare of their staff – lots of whom are already enduring a cost of living crisis and throat-punchingly high inflation – want to negotiate with the cybercriminals to avoid the data becoming the common currency of every hacker with a name or a living to make.

The neogtiations between organizations and cybercriminals have the tone of a data-based horror movie.

Naturally though, advice from the likes of the UK Cybersecurity Council is not to pay any ransom if one is demanded or suggested. There’s a strategic logic to that – as with bullies, blackmailers, and terrorists in the non-cyber world, giving them what they want only tends to encourage them to push their luck, regarding their victims as weak or desperate.

But strategic logic is likely to be cold comfort to the hundred thousand confirmed staff whose data is currently compromised, or the hundred thousand more worldwide who could be compromised through the Zellis payroll service.

A potentially expanding supply chain attack.

Almost as soon as the hack was confirmed, the US Cybersecurity and Infrastructure Security Agency issued a warning to all firms that have been using MOVEit, that they should download and install a security patch to avoid further breaches – because naturally, now clOp has a way in through that system, unless it’s patched, the group can continue to use their access to compromise ever more data.

Security scans reveal that thousands of company databases could still be at risk, as the take-up of the patch has been mind-bogglingly low considering the potential danger to available data.

In a rare moment of altruism, though, clOp has announced that government, city, and police services are outside the remit of its interest this time around.

It issued an addendum to its general “contact us to negotiate for your data” message, saying that data from those three times of organization had already been erased, and formed no part of the extortion plan.

READ NEXT

Learning from the Royal Mail ransomware

This, as much as the inverted way the group has gone about seeking to monetize its mega-strike, has led analysts to believe the attack has become too big and too successful for clOp to handle.

The sheer amount of data collected, and the difficulty in grouping it coherently, looks to be giving the group an ironic issue faced by businesses in the legitimate world – too much data, insufficient data management.

Add to that the fact that there are very likely to be companies who are as yet unaware that they’re affected by the hack and it could become a logistical nightmare – as much for the hackers as for the companies who’ve been hacked.

What happens on the run-up to the communication deadline – and after it – will define how this enormous hack will eventually be remembered. Right now though, companies will be taking as much advice from their cyber-experts as possible about how to play this entirely unusual situation.

The post clOp hits companies worldwide with massive MOVEit supply chain hack appeared first on TechHQ.

In the world of cybersecurity, it’s critical to know some key things. How many vulnerabilities are possible in your systems, for one. How many vulnerabilities are likely, for another. How to defend against them, for a third, and in particular, how fast you patch your systems when you know there are vulnerabilities are there.

The Threat Research Unit at Qualys, a cybersecurity specialist firm, recently conducted some large-scale research into exactly these questions – what’s out there, how vulnerable organizations are, and especially how fast those organizations are to patch their systems when threats rear their ugly, annoying heads.

We sat down with Travis Smith, Vice President of the Unit, to discuss the “state of the digital nation.”

A very big number.

THQ:

So, let’s rip off the Band-Aid. How many vulnerabilities are out there?

TS:

The short answer is more than 25 million.

THQ:

Ouch. Is the long answer any less painful?

READ NEXT

Charting vulnerabilities in software containers

TS:

Sort of. It’s important to remember this is a big, big study. We collected a tremendous amount of anonymous detection data from our global platform. We looked at detection statistics across vulnerability management, web applications, security, policy, compliance, cloud security, posture management, and more. We gathered as much data as we could, just to understand as much as possible what the threat landscape ultimately looks like from our viewpoint, and then provide some analysis on it.

THQ:

Still kinda focusing on the big, big number.

TS:

We broke the number down into five categories, to tell the story of the threat landscape that we have. The way that story shaped up, we looked at vulnerability data first, because that’s what we’re known for. We’ve just surpassed 200,000 vulnerabilities known and published by the NVD (National Vulnerability Database).

THQ:

Much smaller number. Feels like we should be relieved, and yet… still a big number when it comes to vulnerabilities.

TS:

Right? That’s too much to look at under one lens, so we kind of scoped it down to the vulnerabilities that were published last year.

THQ:

Smaller number?

The CISA list.

TS:

25,000 vulnerabilities. Published last year. But which ones introduced the most risk to an organization? We defined that under one of a few different categories. So then we narrowed the focus down to things that had been added to the CISA (Cybersecurity & Infrastructure Security Agency) Known Exploited Vulnerability list, those that were attributed to a threat actor, those that we’ve had evidence of being included into a piece of malware, and then specifically ransomware as another subcategory. We added anything for which there was some type of exploit made available on the Exploit DB published to GitHub.

THQ:

Please tell us that resulted in a significantly less terrifying number…

TS:

163.

163 specific vulnerabilities that we wanted to look at, which were published last year. So we looked at the detection system statistics of those, how often they were not only detected, but remediated. And also how quickly they were remediated.

These risky, weaponized vulnerabilities were remediated at a pace of 57.7% throughout the year, so just over half of them were remediated throughout the year, at a pace of roughly 30.4 days.

That’s what the defenders are looking at.

The speed of threat.

While we were there, we looked at intelligence of how quickly threat actors are leveraging those vulnerabilities – so how quickly the vulnerabilities are weaponized.

READ NEXT

Cyberattacks imminent as industrial safety vulnerabilities loom large

THQ:

Tell us what we already know.

TS:

Threat actors are moving much faster. They’re weaponizing these vulnerabilities in an average of 19.4 days. That’s almost exactly 11 days difference between how quickly threat actors are moving versus how quickly defenders are remediating those vulnerabilities across the board.

11 days of advantage, to go through and exploit these vulnerabilities before, on average, organizations are able to remediate them. Looking at the scope of all these dangerous vulnerabilities, they’re not all things like Windows and Chrome and some of those that spread across network devices, web apps and so on. And there was a large disparity between how quickly some of these were actually remediated.

Some were remediated in single digit days, while others were published in maybe January of 2022, and in the last year, were still patched at a rate of single digits. 5-10%. That’s a huge disparity. So we broke it down, to look at which ones were doing well, being patched quickly, patched more often, versus the ones that were not.

The power of automation.

That led us down a rabbit hole to focus on the vulnerabilities which could be automated for the remediation, because those were those ones that trended higher. Obviously, that makes sense – if you can automate something, it goes a little bit faster – but we dug down and looked at things like Windows and Chrome, because those are the number one web browser and the number one operating system, and they have very mature patching processes.

Organizations trust those quite a bit. You can either use their internal built-in tooling or you can easily automate it with a patch management tool.

Those vulnerabilities were patched twice as fast and twice as often as everything else.

THQ:

So – all hail automation?

READ NEXT

NLP business trends: automation and insights up for grabs

TS:

Clearly, there’s a disparity between the vulnerabilities that can be automated and the ones that can’t. From our side, we were looking at a group of threat actors that are known as initial access brokers (IABs), or affiliates. These are the groups that will break into an organization and either sell that access or leverage the access themselves. And whether they leverage it themselves or whether they sell it, typically, the end game is ransomware.

So what we looked at was, what were the vulnerabilities that they were adding to their toolkit last year, and which were vulnerabilities which were released last year?

Obviously, they’re going to leverage old vulnerabilities if they find them, but what was the new stuff they were adding?

A much smaller number.

The evidence we had was that the top vulnerabilities they were adding were primarily web apps type vulnerabilities looking at externally facing systems exchanges. None of the top vulnerabilities they were leveraging were Windows or Chrome. And if we looked at the patch rate of those, how quickly they were patching, the mean time to remediation for the vulnerabilities associated with these affiliates or IABs were patched in 45.5 days, 15 days slower than the average.

THQ:

Do we know exactly what the vulnerabilities were?

TS:

Yes, there are 17 specific vulnerabilities that we were looking at by the time we got down to the ones that IABs were using most – none of which were in things like Windows and Chrome.

Defenders are definitely making a difference by patching things like Windows and Chrome. The optimist in me is saying, “Hey, defenders are doing the right thing, they’re changing the tactics of the threat actors.”

And if you look at specifically something like Chrome, it was ravaged with 8 or 9 zero days last year. While that’s not the biggest problem, there are other problems that organizations can take a look at.

So shifting the lens from that the narrative, web apps were something that these threat actors were taking a look at. We took a look at a lot of the detection statistics we had from our web applications, and tied all of those to the OWASP Top 10 controls. We found that the biggest category they fell under was a 04 or 05, the misconfiguration bucket. So a third of every web application that we scanned had some sort of MIS configuration within it.

Unpleasant exposure.

In itself, that’s not going to lead to a breach in the web application. But the risk there is that it exposes these misconfigurations or exposes information.

Worst case scenario, they expose something like PII (Personal Identifiable Information), but more typically, they expose the back-end systems, the databases behind it.

And a lot of these vulnerabilities are a risk to the organization, or give the attacker additional information to further stage their attacks within that environment.

In Part 1 of this article, we’ve come down from 25 million potential vulnerabilities to 17 core specific vulnerabilities that bad actors are likely to be using right now.

In Part 2, we’ll find out what can be done to improve the patch rates for those 17, and make companies objectively less vulnerable.

The post Isolating active vulnerabilities for better cybersecurity appeared first on TechHQ.