Cybersecurity Certification Training and Comprehensive Penetration Testing Solutions.
The CIS Critical Controls were developed as a framework to not only ensure the successful realization of basic cybersecurity hygiene, but to lead to the planning and implementation of a robust security protocol. To build any cybersecurity protection schemata, it is necessary to know the extent of what it is you are protecting. This is the stated purpose of Control 1. CIS Control 1 Overview: Inventory of Authorized and Unauthorized DevicesCritical Control 1states: “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access” (CISv.7). This control is not so much intended to prevent unauthorized access, although a complete inventory with attendant policy enforcement will do just that. Instead, it is devised so an organization may be certain of what devices are on the network, so they may be effectively defended. Then these devices will not be the unknown gap in the defensive perimeter that allows a devastating attack to execute on an unsuspecting network. Compiling a detailed asset inventory may seem like an intimidating task for an organization of any size, especially if this is a first-time endeavor. However, Control 1 is segmented into eight subcontrols designed to give form to the mission at hand. CIS Control 1 Subcontrols 1.1 - 1.5 (Click to Enlarge) CIS Control 1 SubcontrolsSubcontrols 1.1 and 1.2 recommend the use of both active and passive automated tools to identify device assets so they may be updated as needed and added to the hardware asset inventory. Anything with an IP address must be counted. This includes printers, copy machines, and even automated vending machines if they connect to the network. This asset inventory is also not limited to what is always attached to the network. Virtual Private Networks (VPNs) and mobile devices must also be inventoried, and these types of connections typically come and go on a network. Whether physical or virtual, if it has an IP address and ever connects to the network, it should be included as an asset. There are many such tools at varying price points, so that an organization will typically be able to devise a method that both works within their current framework and is financially feasible as well. Subcontrol 1.3 advises Dynamic Host Configuration Protocol (DHCP) to be used to assign IP addresses. This automates IP allocation and is no small part of an IP address management system that aids in updating the hardware asset inventory and helps keep it updated. Subcontrols 1.4 and 1.5 focus on the maintenance of a detailed hardware asset inventory, whether or not the device is connected and whether or not the device is authorized to be connected. An inventory should at least indicate if an asset is portable, the name of the device, and the IP number. Including MAC addresses and serial numbers is a good practice to start with and maintain and can also be used to prove ownership for insurance purposes. Whatever information an organization deems necessary to keep in the asset inventory, it must be noted that this procedure is dynamic and ongoing for the lifecycle of any device. Records must also be kept of devices as they are deprecated and removed from the network or recommissioned and returned to the network. This is a priority on par with keeping updated blueprints and maintenance information for an organization’s physical and logical topology. CIS Control 1 Subcontrols 1.6 - 1.8 (Click to Enlarge) Subcontrol 1.6 suggests steps to take in dealing with unauthorized devices. When an organization obtains the actual number of unauthorized devices currently connected to their network, they may also discover the need to update current policies and procedures for IoT (Internet of Things) devices. Such policies and procedures may take the form of employee education of various types, as well as clearly delineated employee agreements as to what is, and is not allowed on the network. ATP (Advanced Persistent Threats) and other hackers wait on the internet for such unauthorized devices to gain an entry point into a network, or to use as a pivot point if the network is already compromised. It is unfortunate but true that attack avenues are always evolving, and one of the most commonly used avenues of malware delivery is via email spear-phishing campaigns aimed at the unwary employee, or through the connection of an unauthorized and unprotected device such as a smart phone or laptop. Once this inventory is complete, subcontrols 1.7 and 1.8 mention steps to take towards ensuring company control of which devices are authorized to connect to the network. Port-level controls are a necessity, along with proper switch configurations, and both should be tied to the device asset inventory. This should help ensure only authorized devices may connect to the network. Certainly this is a task that requires time, attention to detail, and commitment. It is not as exciting as other defensive processes, but proper implementation will lead to the best execution of the other 19 Controls, as well as add to the overall improvement of an organization’s defense posture by increasing efficiency and response time and reducing the network attack surface. Conclusion and Next StepsThe CIS Critical Controls are not rigid, but may be implemented in the ways that best suit an organization’s needs and acceptable risk. Neither are the CIS Critical Controls weighted equally. Critical Control 1 is as important and essential to the support of any cybersecurity posture as a foundation is to the support of a house. A variety of studies show that CIS Control implementation is proven to prevent around 90% of network attacks. That renders the return on investment undeniable, and the importance cannot be overstated to management and board members. Alpine Security remains committed to fostering cybersecurity awareness globally and locally while providing our specialized services to organizations and individuals alike. Pursuant to that commitment, Alpine Security offers a free consultation on our Enterprise Security Audit (ESA) Service. The ESA is based on the Top 20 Critical Controls published by the Center for Internet Security. The ESA is intended to provide a comprehensive picture of where an organization currently falls in Critical Control Implementation, while also delineating a roadmap for full implementation. With the increase in variety and methods of attack on organizations of all sizes and types, defensive uncertainty is a luxury no security-conscious entity can afford. via Tumblr CIS Control 1: The Beginning of Basic Cybersecurity
0 Comments
Phishing emails from a CEO to an Executive Assistant with urgent tasks (scams) are on the rise Does your organization welcome questions from employees? Would an employee feel comfortable questioning their supervisor about a task? How often do you push a job down the chain and expect it to “just get done?” The urgency of business demands that employees be able to carry out tasks without question. Unfortunately, that same urgency can lead to the exact conditions that cybercriminals exploit daily to the tune of billions of dollars. These exploits and a lack of focus on institutional safeguards to prevent them mostly go unnoticed within organizations until they become the target of a cyber-attack. When discussing the method of how cybercriminals operate, it is often easy to take the “that could never happen to me” mentality. We’ve all heard the story of someone’s uncle who was catfished out of his life savings by someone from another country whom he never met, but is the love of his life. While the need for human connection may not be every individual’s weak point, everyone has at least one. In the business environment, humans are invariably the weak link in the security chain. Cybercriminals are particularly adept at manipulating the human element to extort money, intellectual property, and resources. Here we will explore a case study involving a recent incident response that Alpine Security performed. In this incident, the company in question was targeted using email spoofing and phishing attacks resulting in losses of over $20k. This particular scam is noteworthy because it highlights a technique that is on the rise in recent months and illustrates how cybercriminals often use human and institutional weaknesses to fulfill their goals. Initial Phishing Email to Elicit a Response In the first phase of this attack, the criminal used a Gmail account designed to look like it was coming from the supervisor of the targeted employee, e.g., [email protected]. Seeing the name in the email address, the employee did not suspect that the email did not originate from their actual boss. The email explained that the supervisor wanted to give away some eBay gift cards to a vendor but was tied up and would like the employee to go and pick them up quickly. The employee responded and followed instructions to purchase $2,000 in eBay gift cards. She was then instructed to scratch off the back of the cards and send images of the codes to the email account. As luck would have it, she sent the codes via text rather than email, enabling her company to catch the scam before the codes were leaked, but it was a very close call. 2nd Phishing Email. Attacker sent this email after they received a response to the first email. At first glance, it is easy to assume that we, in the same position, would have noticed one of the several red flags that this story illustrates. However, understanding the physiology of this kind of attack allows us to fully grasp how easy it is to fall victim to this type of scam. In this case, the criminal had two factors to their advantage; the first of which is the appeal to authority. Many employees are not going to question their boss when asked to perform a task as long as the job seems somewhat reasonable. If this is a task the employee has performed before, they may not think twice about doing it at all. If you work in a marketing or sales department picking up some gift cards might not be an out of the ordinary request. The appeal to authority can be just enough to make the employee second guess their suspicion and take an action they otherwise may not have. Furthermore, company cultures often do not promote open communication and freedom to question. Therefore, the employee may not feel empowered to raise concerns if they suspect something is amiss. Couple that with the second advantage the criminal is exploiting - urgency, and you have a recipe for social engineering. The “supervisor” is in a hurry and needs their assistant to perform a task quickly. If the employee has doubts, this may be the nudge they need to forget those doubts, get the job done, and “just be a team player.” Employers should not underestimate physiological factors that play into these types of scams. It is human nature to want to be helpful and do your job well. It is often an institutional weakness to expect employees to carry out tasks without question or to put too little safeguards in place to prevent the compromise of one employee from costing the company money. It is natural to want to blame the employee for being careless, but the truth is that her actions were precisely what her boss would have expected had he been the one who sent the request. If the attack had stopped here, it would have been merely a lesson learned for the company to be more careful. Unfortunately, it didn’t. In phase two of the attack, the criminal sent an executive in the same company an email that appeared to come from another person within the company. The executive clicked a link in the email which prompted them to input their Office 365 username and password. Thinking this was merely a standard password prompt the employee complied and completed their work. Unbeknownst to them, the login page they had input their credentials to was fake (spoofed), allowing the hacker to capture their credentials. The attacker quietly logged into the account and remotely set up a rule to automatically mark any emails from the finance department as read and send them to a hidden folder. They then sent an email to the finance department asking why an invoice to a company had not been paid. Over the next several days they were able to pose as the company executive and trick the finance department into fraudulently processing over $20K in fake invoices. Both of these cases have human error as a common element, but stronger institutional safeguards are the only real tool to defeat human error. What would happen if we put a straightforward safeguard in place in either of these cases? What if a phone call and passphrase, or digitally signed email were required to initiate a wire transfer? What if the employees had training on how to detect spoofed emails? In a third case, a client of Alpine Security received the same email requesting that they purchase iTunes gift cards. This was particularly interesting because the employee had recently bought gift cards for a similar giveaway. However, in this case, the company had a safeguard in place that a transaction like this needed to be approved verbally by the employee’s supervisor. When she contacted them, they quickly detected the email was a hoax and were able to move on with no loss of money and little lost time. How well would your organization handle an event like this? In the fast-paced world of cybercrime, no company is too small or too big to be a target. Stories like this happen every day. For the unprepared, they can bankrupt an organization or cause severe operational impacts. For a prepared company, they are a blip on the radar and something to talk about after you hit your next team milestone. Does your institution have the training and safeguards in place to weather a cyber attack? Alpine Security has the tools to help. We offer a full range of private training for organizations to assist in cybercrime prevention as well as penetration testing, vulnerability assessment, and social engineering campaigns. Want to see how ready your company is for a cyber attack? Do not wait for the bad guys to test you. Let us help! Author BioIsaac (on the left) hiking in Vietnam Isaac Wright is a Cybersecurity Analyst and Trainer with Alpine Security. A veteran of the US Air Force, Isaac has more than 15 years’ experience in electronics maintenance and security. He holds degrees in Electronics Systems and Education and Training Management as well as a master instructor certification. Isaac has a long history of maintaining, hacking, modding, and using electronics systems from networks and computers to radios and consumer electronics. Isaac has leveraged his expertise to advise CIOs in large multi-site organizations on vulnerability management and risk mitigation. When not teaching or analyzing network traffic, Isaac loves to play board games with family, fish, camp, and experience everything the world has to offer. An avid traveler, Isaac has been to more than 15 countries and especially enjoys Asia. via Tumblr Institutional Safeguards and the Human Element Phishing emails from a CEO to an Executive Assistant with urgent tasks (scams) are on the rise Does your organization welcome questions from employees? Would an employee feel comfortable questioning their supervisor about a task? How often do you push a job down the chain and expect it to “just get done?” The urgency of business demands that employees be able to carry out tasks without question. Unfortunately, that same urgency can lead to the exact conditions that cybercriminals exploit daily to the tune of billions of dollars. These exploits and a lack of focus on institutional safeguards to prevent them mostly go unnoticed within organizations until they become the target of a cyber-attack. When discussing the method of how cybercriminals operate, it is often easy to take the “that could never happen to me” mentality. We’ve all heard the story of someone’s uncle who was catfished out of his life savings by someone from another country whom he never met, but is the love of his life. While the need for human connection may not be every individual’s weak point, everyone has at least one. In the business environment, humans are invariably the weak link in the security chain. Cybercriminals are particularly adept at manipulating the human element to extort money, intellectual property, and resources. Here we will explore a case study involving a recent incident response that Alpine Security performed. In this incident, the company in question was targeted using email spoofing and phishing attacks resulting in losses of over $20k. This particular scam is noteworthy because it highlights a technique that is on the rise in recent months and illustrates how cybercriminals often use human and institutional weaknesses to fulfill their goals. Initial Phishing Email to Elicit a Response In the first phase of this attack, the criminal used a Gmail account designed to look like it was coming from the supervisor of the targeted employee, e.g., [email protected]. Seeing the name in the email address, the employee did not suspect that the email did not originate from their actual boss. The email explained that the supervisor wanted to give away some eBay gift cards to a vendor but was tied up and would like the employee to go and pick them up quickly. The employee responded and followed instructions to purchase $2,000 in eBay gift cards. She was then instructed to scratch off the back of the cards and send images of the codes to the email account. As luck would have it, she sent the codes via text rather than email, enabling her company to catch the scam before the codes were leaked, but it was a very close call. 2nd Phishing Email. Attacker sent this email after they received a response to the first email. At first glance, it is easy to assume that we, in the same position, would have noticed one of the several red flags that this story illustrates. However, understanding the physiology of this kind of attack allows us to fully grasp how easy it is to fall victim to this type of scam. In this case, the criminal had two factors to their advantage; the first of which is the appeal to authority. Many employees are not going to question their boss when asked to perform a task as long as the job seems somewhat reasonable. If this is a task the employee has performed before, they may not think twice about doing it at all. If you work in a marketing or sales department picking up some gift cards might not be an out of the ordinary request. The appeal to authority can be just enough to make the employee second guess their suspicion and take an action they otherwise may not have. Furthermore, company cultures often do not promote open communication and freedom to question. Therefore, the employee may not feel empowered to raise concerns if they suspect something is amiss. Couple that with the second advantage the criminal is exploiting - urgency, and you have a recipe for social engineering. The “supervisor” is in a hurry and needs their assistant to perform a task quickly. If the employee has doubts, this may be the nudge they need to forget those doubts, get the job done, and “just be a team player.” Employers should not underestimate physiological factors that play into these types of scams. It is human nature to want to be helpful and do your job well. It is often an institutional weakness to expect employees to carry out tasks without question or to put too little safeguards in place to prevent the compromise of one employee from costing the company money. It is natural to want to blame the employee for being careless, but the truth is that her actions were precisely what her boss would have expected had he been the one who sent the request. If the attack had stopped here, it would have been merely a lesson learned for the company to be more careful. Unfortunately, it didn’t. In phase two of the attack, the criminal sent an executive in the same company an email that appeared to come from another person within the company. The executive clicked a link in the email which prompted them to input their Office 365 username and password. Thinking this was merely a standard password prompt the employee complied and completed their work. Unbeknownst to them, the login page they had input their credentials to was fake (spoofed), allowing the hacker to capture their credentials. The attacker quietly logged into the account and remotely set up a rule to automatically mark any emails from the finance department as read and send them to a hidden folder. They then sent an email to the finance department asking why an invoice to a company had not been paid. Over the next several days they were able to pose as the company executive and trick the finance department into fraudulently processing over $20K in fake invoices. Both of these cases have human error as a common element, but stronger institutional safeguards are the only real tool to defeat human error. What would happen if we put a straightforward safeguard in place in either of these cases? What if a phone call and passphrase, or digitally signed email were required to initiate a wire transfer? What if the employees had training on how to detect spoofed emails? In a third case, a client of Alpine Security received the same email requesting that they purchase iTunes gift cards. This was particularly interesting because the employee had recently bought gift cards for a similar giveaway. However, in this case, the company had a safeguard in place that a transaction like this needed to be approved verbally by the employee’s supervisor. When she contacted them, they quickly detected the email was a hoax and were able to move on with no loss of money and little lost time. How well would your organization handle an event like this? In the fast-paced world of cybercrime, no company is too small or too big to be a target. Stories like this happen every day. For the unprepared, they can bankrupt an organization or cause severe operational impacts. For a prepared company, they are a blip on the radar and something to talk about after you hit your next team milestone. Does your institution have the training and safeguards in place to weather a cyber attack? Alpine Security has the tools to help. We offer a full range of private training for organizations to assist in cybercrime prevention as well as penetration testing, vulnerability assessment, and social engineering campaigns. Want to see how ready your company is for a cyber attack? Do not wait for the bad guys to test you. Let us help! Author BioIsaac (on the left) hiking in Vietnam Isaac Wright is a Cybersecurity Analyst and Trainer with Alpine Security. A veteran of the US Air Force, Isaac has more than 15 years’ experience in electronics maintenance and security. He holds degrees in Electronics Systems and Education and Training Management as well as a master instructor certification. Isaac has a long history of maintaining, hacking, modding, and using electronics systems from networks and computers to radios and consumer electronics. Isaac has leveraged his expertise to advise CIOs in large multi-site organizations on vulnerability management and risk mitigation. When not teaching or analyzing network traffic, Isaac loves to play board games with family, fish, camp, and experience everything the world has to offer. An avid traveler, Isaac has been to more than 15 countries and especially enjoys Asia. via Tumblr Institutional Safeguards and the Human Element The Internet of Medical Things, also known as the IoMT, is one of the most revolutionary developments in healthcare today. It empowers physicians to monitor patients remotely by providing the patient with network-enabled devices. These devices can track a wide variety of processes, from medication compliance to blood glucose level. IoMT has become an extremely profitable industry. Let’s look at the statistics:
By 2020, as many as 30 billion IoMT devices will be in use worldwide. By 2022, the market for IoMT will hit $158 billion. The time is come to get very serious about IoMT cybersecurity. Why IoMT Cybersecurity Is Worth the TroubleIoMT devices offer benefits in every value metric of health care - patient outcomes, patient satisfaction, scientific advancement, and financial viability. Lower Cost of CareWith the percentage of elderly persons rapidly increasing worldwide, experts are anticipating a potentially overwhelming rise in health care costs. The IoMT can make it possible for doctors to monitor patients remotely and send automatic recommendations when data exceeds the normal range. With this resource, doctors can lower costs by scheduling fewer in-person visits. Additionally, because IoMT devices report data automatically, they reduce the need for nurses and support staff to verify data. This makes for more efficient use of staffing resources and focuses more attention on patient care. Better OutcomesToday, IoMT is most helpful in ensuring patient compliance with doctors’ instructions. An enabled device communicates data regarding outcome-related behaviors such as medication adherence or exercise habits. The same devices can track whether a patient’s condition improves or declines, thus providing key information that physicians can use to adjust care recommendations. Customized TreatmentThe pharmaceutical and medical device industries are already using IoMT to innovate around patient-centered treatment. Patients with Parkinson’s disease, for example, now have access to wearable sensors that monitor and optimize medication use to improve patients’ quality of life. Access to ResearchIoMT devices allow researchers to gather vast amounts of data conveniently, thus allowing them to more easily recruit and monitor study participants. Optimizing this process benefits not only the researcher, who can spend more time with participants and evaluating results, but also the many patients who can benefit from experimental treatments. Innovations in IoMT TechnologyIoMT is going places - down a patient’s esophagus, to the grocery store, and even in a diabetic’s eye, all thanks to technology’s ability to get smaller, faster, and smarter. Wearable medical device examples. Image source: https://www.researchgate.net/figure/Three-types-of-wearable-sensor-nodes-powered-by-thermoelectric-energy-harvesters-The_fig1_279634036 Wearable Medical DevicesAs sensors become more advanced, device manufacturers have found ways to integrate them into wearable fabrics. This has led to advancements such as:
All of these advancements help patients to get better care and take control of their health outcomes. Ingestible SensorsIn order to increase the number of patients who take their medication according to doctor’s orders – a number calculated by the World Health Organization at just 50 percent – Proteus Digital Health has developed ingestible sensors that track when a patient has taken his or her prescribed pill. This information travels to a smartphone app so that patients and their doctors can monitor adherence. Glucose Tracking Contact Lens. Image source: https://www.engadget.com/2014/01/17/google-health-smart-contact-lenses-diabetes/ Glucose MonitoringThe Eversense XL system, distributed by Roche, uses an implanted sensor and rechargeable transmitter to send information about blood glucose levels to patients’ smartphones. Patients receive vibration alerts when glucose levels drop or rise to unhealthy levels, as well as phone notifications when levels appear to be approaching those levels. Users can also track their daily habits to understand what affects their blood sugar. Glucose-Tracking Contact LensesYes, you read that right. Google and Novartis have teamed up to create a network-enabled contact lens that measures the blood sugar in patients’ tears. The patient can view his or her data through a smartphone app and adjust insulin delivery based on results. Ingestible sensor - camera. Image source: https://www.marsdd.com/news-and-insights/ingestibles-smart-pills-revolutionize-healthcare/ Swallowable CamerasDoctors can now view the interior of a patient’s digestive system without uncomfortable endoscopy procedures. It happens thanks to PillCam™, a swallowable camera that provides internal views of the small bowel. As the camera travels through the patient’s system, advanced visualization technologies enable the physician to track speed of movement through the bowel and view images of potential abnormalities. IoMT Out in the WorldNot all IoMT devices are found in hospitals and laboratories. Many, like the consumer health wearables that have pervaded the consumer market, allow patients and their doctors to track health information on a day-to-day basis. Fitness TrackersFitness trackers, like the well-known FitBit, are convenient wearable devices that track the body systems associated with exercise. They use:
These devices include software that can this information into health advice that the patient can use, but that’s as far as it goes. They don’t send data to doctors or recommend medications, but they do collect and store user information. If not properly encrypted, that information could fall into the hands of hackers who might sell or alter it. There is even the possibility that a hacker could attempt to ransom a patient’s own health data back to him or her. Smartwatch AppsMany smartwatches now have health tracking systems that monitor the wearer’s health data. The recently-released Apple Watch Series 4, for example, tracks the wearer’s cardiac rhythm and notifies him or her if it detects any irregular heartbeats. The watch’s Health app, meanwhile, tracks your stress levels, physical activity, sleep habits, and nutrition. These trackers can connect to a number of other third-party apps, which increases the number of companies that have access to your data. Remote Patient MonitoringRemote patient monitoring, also known as RPM, is one of the highest-profile trends in the health care industry.The current shift toward value-based care is making a distinct space for RPM technologies, which have the potential to reduce health care costs while improving patient outcomes and the overall patient experience. Steps to Hack a Pacemaker The Downside – IoMT Cybersecurity ConcernsMedical information is very valuable to hackers – up to 10 times more valuable than a credit card number. But it isn’t just data that cybersecurity experts fear may be at risk. In 2012, the Showtime television series Homeland aired an episode in which a character hacked into the software that controlled the pacemaker of the US vice president. The hacker then used that access to take control of the pacemaker’s programming and caused a fatal heart attack. Shortly thereafter, then-vice president Dick Cheney’s medical team disabled the wireless feature on his pacemaker, fearing that the television program would inspire a terrorist to take similar action. The Pacemaker RecallIn August of 2017, the Food and Drug Administration publicized a recall of 465,000 radiofrequency-enabled implantable pacemakers after a review identified security vulnerabilities. The FDA found that a hacker could use equipment at distributed on the commercial market to gain access to the device. With this access, a hacker could change the device’s programming and harm the patient by depleting the battery or order dangerous pacing. Fortunately, the FDA recall and development of firmware update occurred before any malicious access could occur. Hacking Owlet infant heart rate monitors Infant Health at RiskIn 2016 in the UK, the media reported a security vulnerability in the Owlet infant heart monitor sensor. Cybersecurity researchers found that while data sent between parent smartphones and base servers was secure, the networking between the sensor and the base server had no encryption whatsoever and could be accessed without so much as a login. That means that anyone within range could monitor the infant’s data, interfere with alert systems, or otherwise interfere with monitoring. The media deemed the situation to be the year’s worst IoT security risk. Hacking insulin pumps. Image source: https://www.extremetech.com/extreme/92054-black-hat-hacker-details-wireless-attack-on-insulin-pumps Insulin Delivery Made VulnerableAll of those IoMT enabled glucose monitors? Those are vulnerable to hackers too. Hackable Medication PumpsResearch has also identified vulnerabilities in a particular brand of infusion pump, a type of technology that delivers medication into patients’ bloodstreams. In 2014, an independent professional reported that he had written a program that could instruct pumps to deliver lethal doses of medicine. The researcher found these vulnerabilities in at least five pump models. Whole Systems at RiskIoMT devices also put the hospital at risk of what is known as a backdoor attack. In one well-publicized example, hackers used malware to infect blood gas analyzers, which are important for the monitoring of critical care and surgical patients. The infected devices allowed attackers to infiltrate hospital networks and extract confidential data, which was then sent to an undisclosed European location. A simulation of the attack revealed that the blood gas analyzers were routinely sending unencrypted data. That meant that the hackers could make any changes that they wished within the hospital system - to patient data, to treatment and diagnostic requests, and even to key administrative information. Identifying Key VulnerabilitiesThe IoMT would be a vulnerable situation even with adequate safeguards in place, simply because it sends and receives extremely personal information. Unfortunately, most of today’s systems are not set up to protect such private data. Outdated SoftwareSome working medical devices, such as CT scanners and even pacemakers, are upwards of 20 years old. These devices are capable of connecting to hospital systems but feature software systems that have not been conscientiously updated. Such systems are not set up to defend against today’s advanced threats, which can disable an entire hospital network through a single device. Departments Working in IsolationIn order for medical devices to be truly secure, all stakeholders must participate in screening for and responding to threats. This can be a difficult task in a complex healthcare organization where the primary focus is typically the immediate health of the patient. This isolated way of working does not stand up to the complex and interlocking demands of medical device cybersecurity. In order to defend systems and devices from intruders, stakeholders must come together to create a unified security strategy. Unclear Regulations and Poor ComplianceManufacturers and healthcare delivery organizations (HDOs) have traditionally lacked clear mandates regarding the security of medical devices. A 2017 survey revealed that just 44 percent of HDOs and 51 percent of device manufacturers followed FDA guidelines to make devices more secure, despite the fact that approximately 33 percent of both groups were aware of potential harm to patients if a security breach did occur. Improving Security and Protecting PatientsIn one of the first major steps toward improved monitoring of cybersecurity, the FDA recognized the UL 2900 standard for medical device cybersecurity in August of 2017. Officially published as UL 2900-1, the standard offers a series of checks designed to identify vulnerabilities. By recognizing the standard, the FDA enables manufacturers to indicate UL 2900-1 compliance as a response to cybersecurity concerns. Regulatory UpdatesIn late 2018, the FDA published draft guidelines that bring medical device cybersecurity requirements up to date with today’s risk set. Changes include:
The FDA hopes that aligning with the Framework will improve UL 2009-1 compliance. Recommendations, Not MandatesThe released documentation is geared toward premarket submissions and “contains nonbinding recommendations.” It is yet to be seen whether these recommendations are compelling enough to increase the percentage of manufacturers and HDOs that are actively trying to prevent attacks, a percentage most recently measured at 17 percent and 15 percent respectively. Recommendations for HDOsIn 2018, the FDA collaborated with government research contractor MITRE Corp. to develop a cybersecurity guide for medical devices. The guide provides recommendations for healthcare providers and other involved organizations to prevent and respond to cybersecurity incidents involving medical devices. It features such recommendations as:
The latter plays a particularly important role in uncovering security vulnerabilities. Only by identifying areas of potential risk can a provider screen for and correct vulnerabilities. Next Steps for Attack PreventionTechnology never stays still and neither do hackers. The new developments in protecting patient data and patients themselves will not be the end of healthcare cybersecurity, nor will they guard against every possible way of hacking IoMT devices. It is vitally important for all HDO’s to develop and implement medical device security and IoMT security strategies. These strategies need to include not only a screening and threat mitigation standard for current devices but also a plan for maintaining security on a continuing basis. Simplify Clinician ProcessesClinicians, both doctors and nurses, have their hands full with patient care. Any cybersecurity tasks, such as authentication checks, must be minimal on their part and automated as much as possible. Software updating and other processes must not disrupt workflow. Threat Mitigation TrainingThe concept of keeping the clinician involved but uninterrupted also applies to threat intervention strategies. All personnel involved with a device or network must know what to do if a data compromise occurs. Network SegmentationMany security experts are now advocating for increased segmentation of enterprise systems. By segmenting their networks, organizations can more effectively implement security checks and isolate any threats before they pose a widespread risk. Encryption of Patient InformationBecause IoMT devices expose more patient information to enterprise networks, it is important for electronic health records (EHRs) to be as secure as possible. Technology such as homomorphic encryption, which secures data even as it is being used, can keep patient information safe from unwanted access. Protection can even be applied to personally identifiable information (PII), which is particularly valuable to cybercriminals. Investing in PreventionAn ounce of prevention is still worth a pound of cure, both in patient care and in IoMT cybersecurity. As much as possible, security analytics and software updating should be automatic. The most critical and complex tasks can be passed on to a third-party provider with expertise in medical device security and the hacking of IoMT devices. The FDA has placed the burden of IoMT cybersecurity on the people who develop and use them. This adds a set of high-urgency tasks for companies that are already tasked with the safety and well-being of patients. It is unsurprising that experts urge companies to outsource high-level tasks to a company with the expertise to handle them. Alpine Security provides penetration testing services with a focus on IoMT devices. Through extensive experience in ethical hacking and identification of cybersecurity risk, we can relieve HDOs and manufacturers of the necessary burden to review and test all enabled devices, freeing those organizations to focus on patient outcomes. via Tumblr Comprehensive Guide to IoMT Cybersecurity – Risks, Safeguards, and What We Protect The Internet of Medical Things, also known as the IoMT, is one of the most revolutionary developments in healthcare today. It empowers physicians to monitor patients remotely by providing the patient with network-enabled devices. These devices can track a wide variety of processes, from medication compliance to blood glucose level. IoMT has become an extremely profitable industry. Let’s look at the statistics:
By 2020, as many as 30 billion IoMT devices will be in use worldwide. By 2022, the market for IoMT will hit $158 billion. The time is come to get very serious about IoMT cybersecurity. Why IoMT Cybersecurity Is Worth the TroubleIoMT devices offer benefits in every value metric of health care - patient outcomes, patient satisfaction, scientific advancement, and financial viability. Lower Cost of CareWith the percentage of elderly persons rapidly increasing worldwide, experts are anticipating a potentially overwhelming rise in health care costs. The IoMT can make it possible for doctors to monitor patients remotely and send automatic recommendations when data exceeds the normal range. With this resource, doctors can lower costs by scheduling fewer in-person visits. Additionally, because IoMT devices report data automatically, they reduce the need for nurses and support staff to verify data. This makes for more efficient use of staffing resources and focuses more attention on patient care. Better OutcomesToday, IoMT is most helpful in ensuring patient compliance with doctors’ instructions. An enabled device communicates data regarding outcome-related behaviors such as medication adherence or exercise habits. The same devices can track whether a patient’s condition improves or declines, thus providing key information that physicians can use to adjust care recommendations. Customized TreatmentThe pharmaceutical and medical device industries are already using IoMT to innovate around patient-centered treatment. Patients with Parkinson’s disease, for example, now have access to wearable sensors that monitor and optimize medication use to improve patients’ quality of life. Access to ResearchIoMT devices allow researchers to gather vast amounts of data conveniently, thus allowing them to more easily recruit and monitor study participants. Optimizing this process benefits not only the researcher, who can spend more time with participants and evaluating results, but also the many patients who can benefit from experimental treatments. Innovations in IoMT TechnologyIoMT is going places - down a patient’s esophagus, to the grocery store, and even in a diabetic’s eye, all thanks to technology’s ability to get smaller, faster, and smarter. Wearable medical device examples. Image source: https://www.researchgate.net/figure/Three-types-of-wearable-sensor-nodes-powered-by-thermoelectric-energy-harvesters-The_fig1_279634036 Wearable Medical DevicesAs sensors become more advanced, device manufacturers have found ways to integrate them into wearable fabrics. This has led to advancements such as:
All of these advancements help patients to get better care and take control of their health outcomes. Ingestible SensorsIn order to increase the number of patients who take their medication according to doctor’s orders – a number calculated by the World Health Organization at just 50 percent – Proteus Digital Health has developed ingestible sensors that track when a patient has taken his or her prescribed pill. This information travels to a smartphone app so that patients and their doctors can monitor adherence. Glucose Tracking Contact Lens. Image source: https://www.engadget.com/2014/01/17/google-health-smart-contact-lenses-diabetes/ Glucose MonitoringThe Eversense XL system, distributed by Roche, uses an implanted sensor and rechargeable transmitter to send information about blood glucose levels to patients’ smartphones. Patients receive vibration alerts when glucose levels drop or rise to unhealthy levels, as well as phone notifications when levels appear to be approaching those levels. Users can also track their daily habits to understand what affects their blood sugar. Glucose-Tracking Contact LensesYes, you read that right. Google and Novartis have teamed up to create a network-enabled contact lens that measures the blood sugar in patients’ tears. The patient can view his or her data through a smartphone app and adjust insulin delivery based on results. Ingestible sensor - camera. Image source: https://www.marsdd.com/news-and-insights/ingestibles-smart-pills-revolutionize-healthcare/ Swallowable CamerasDoctors can now view the interior of a patient’s digestive system without uncomfortable endoscopy procedures. It happens thanks to PillCam™, a swallowable camera that provides internal views of the small bowel. As the camera travels through the patient’s system, advanced visualization technologies enable the physician to track speed of movement through the bowel and view images of potential abnormalities. IoMT Out in the WorldNot all IoMT devices are found in hospitals and laboratories. Many, like the consumer health wearables that have pervaded the consumer market, allow patients and their doctors to track health information on a day-to-day basis. Fitness TrackersFitness trackers, like the well-known FitBit, are convenient wearable devices that track the body systems associated with exercise. They use:
These devices include software that can this information into health advice that the patient can use, but that’s as far as it goes. They don’t send data to doctors or recommend medications, but they do collect and store user information. If not properly encrypted, that information could fall into the hands of hackers who might sell or alter it. There is even the possibility that a hacker could attempt to ransom a patient’s own health data back to him or her. Smartwatch AppsMany smartwatches now have health tracking systems that monitor the wearer’s health data. The recently-released Apple Watch Series 4, for example, tracks the wearer’s cardiac rhythm and notifies him or her if it detects any irregular heartbeats. The watch’s Health app, meanwhile, tracks your stress levels, physical activity, sleep habits, and nutrition. These trackers can connect to a number of other third-party apps, which increases the number of companies that have access to your data. Remote Patient MonitoringRemote patient monitoring, also known as RPM, is one of the highest-profile trends in the health care industry.The current shift toward value-based care is making a distinct space for RPM technologies, which have the potential to reduce health care costs while improving patient outcomes and the overall patient experience. Steps to Hack a Pacemaker The Downside – IoMT Cybersecurity ConcernsMedical information is very valuable to hackers – up to 10 times more valuable than a credit card number. But it isn’t just data that cybersecurity experts fear may be at risk. In 2012, the Showtime television series Homeland aired an episode in which a character hacked into the software that controlled the pacemaker of the US vice president. The hacker then used that access to take control of the pacemaker’s programming and caused a fatal heart attack. Shortly thereafter, then-vice president Dick Cheney’s medical team disabled the wireless feature on his pacemaker, fearing that the television program would inspire a terrorist to take similar action. The Pacemaker RecallIn August of 2017, the Food and Drug Administration publicized a recall of 465,000 radiofrequency-enabled implantable pacemakers after a review identified security vulnerabilities. The FDA found that a hacker could use equipment at distributed on the commercial market to gain access to the device. With this access, a hacker could change the device’s programming and harm the patient by depleting the battery or order dangerous pacing. Fortunately, the FDA recall and development of firmware update occurred before any malicious access could occur. Hacking Owlet infant heart rate monitors Infant Health at RiskIn 2016 in the UK, the media reported a security vulnerability in the Owlet infant heart monitor sensor. Cybersecurity researchers found that while data sent between parent smartphones and base servers was secure, the networking between the sensor and the base server had no encryption whatsoever and could be accessed without so much as a login. That means that anyone within range could monitor the infant’s data, interfere with alert systems, or otherwise interfere with monitoring. The media deemed the situation to be the year’s worst IoT security risk. Hacking insulin pumps. Image source: https://www.extremetech.com/extreme/92054-black-hat-hacker-details-wireless-attack-on-insulin-pumps Insulin Delivery Made VulnerableAll of those IoMT enabled glucose monitors? Those are vulnerable to hackers too. Hackable Medication PumpsResearch has also identified vulnerabilities in a particular brand of infusion pump, a type of technology that delivers medication into patients’ bloodstreams. In 2014, an independent professional reported that he had written a program that could instruct pumps to deliver lethal doses of medicine. The researcher found these vulnerabilities in at least five pump models. Whole Systems at RiskIoMT devices also put the hospital at risk of what is known as a backdoor attack. In one well-publicized example, hackers used malware to infect blood gas analyzers, which are important for the monitoring of critical care and surgical patients. The infected devices allowed attackers to infiltrate hospital networks and extract confidential data, which was then sent to an undisclosed European location. A simulation of the attack revealed that the blood gas analyzers were routinely sending unencrypted data. That meant that the hackers could make any changes that they wished within the hospital system - to patient data, to treatment and diagnostic requests, and even to key administrative information. Identifying Key VulnerabilitiesThe IoMT would be a vulnerable situation even with adequate safeguards in place, simply because it sends and receives extremely personal information. Unfortunately, most of today’s systems are not set up to protect such private data. Outdated SoftwareSome working medical devices, such as CT scanners and even pacemakers, are upwards of 20 years old. These devices are capable of connecting to hospital systems but feature software systems that have not been conscientiously updated. Such systems are not set up to defend against today’s advanced threats, which can disable an entire hospital network through a single device. Departments Working in IsolationIn order for medical devices to be truly secure, all stakeholders must participate in screening for and responding to threats. This can be a difficult task in a complex healthcare organization where the primary focus is typically the immediate health of the patient. This isolated way of working does not stand up to the complex and interlocking demands of medical device cybersecurity. In order to defend systems and devices from intruders, stakeholders must come together to create a unified security strategy. Unclear Regulations and Poor ComplianceManufacturers and healthcare delivery organizations (HDOs) have traditionally lacked clear mandates regarding the security of medical devices. A 2017 survey revealed that just 44 percent of HDOs and 51 percent of device manufacturers followed FDA guidelines to make devices more secure, despite the fact that approximately 33 percent of both groups were aware of potential harm to patients if a security breach did occur. Improving Security and Protecting PatientsIn one of the first major steps toward improved monitoring of cybersecurity, the FDA recognized the UL 2900 standard for medical device cybersecurity in August of 2017. Officially published as UL 2900-1, the standard offers a series of checks designed to identify vulnerabilities. By recognizing the standard, the FDA enables manufacturers to indicate UL 2900-1 compliance as a response to cybersecurity concerns. Regulatory UpdatesIn late 2018, the FDA published draft guidelines that bring medical device cybersecurity requirements up to date with today’s risk set. Changes include:
The FDA hopes that aligning with the Framework will improve UL 2009-1 compliance. Recommendations, Not MandatesThe released documentation is geared toward premarket submissions and “contains nonbinding recommendations.” It is yet to be seen whether these recommendations are compelling enough to increase the percentage of manufacturers and HDOs that are actively trying to prevent attacks, a percentage most recently measured at 17 percent and 15 percent respectively. Recommendations for HDOsIn 2018, the FDA collaborated with government research contractor MITRE Corp. to develop a cybersecurity guide for medical devices. The guide provides recommendations for healthcare providers and other involved organizations to prevent and respond to cybersecurity incidents involving medical devices. It features such recommendations as:
The latter plays a particularly important role in uncovering security vulnerabilities. Only by identifying areas of potential risk can a provider screen for and correct vulnerabilities. Next Steps for Attack PreventionTechnology never stays still and neither do hackers. The new developments in protecting patient data and patients themselves will not be the end of healthcare cybersecurity, nor will they guard against every possible way of hacking IoMT devices. It is vitally important for all HDO’s to develop and implement medical device security and IoMT security strategies. These strategies need to include not only a screening and threat mitigation standard for current devices but also a plan for maintaining security on a continuing basis. Simplify Clinician ProcessesClinicians, both doctors and nurses, have their hands full with patient care. Any cybersecurity tasks, such as authentication checks, must be minimal on their part and automated as much as possible. Software updating and other processes must not disrupt workflow. Threat Mitigation TrainingThe concept of keeping the clinician involved but uninterrupted also applies to threat intervention strategies. All personnel involved with a device or network must know what to do if a data compromise occurs. Network SegmentationMany security experts are now advocating for increased segmentation of enterprise systems. By segmenting their networks, organizations can more effectively implement security checks and isolate any threats before they pose a widespread risk. Encryption of Patient InformationBecause IoMT devices expose more patient information to enterprise networks, it is important for electronic health records (EHRs) to be as secure as possible. Technology such as homomorphic encryption, which secures data even as it is being used, can keep patient information safe from unwanted access. Protection can even be applied to personally identifiable information (PII), which is particularly valuable to cybercriminals. Investing in PreventionAn ounce of prevention is still worth a pound of cure, both in patient care and in IoMT cybersecurity. As much as possible, security analytics and software updating should be automatic. The most critical and complex tasks can be passed on to a third-party provider with expertise in medical device security and the hacking of IoMT devices. The FDA has placed the burden of IoMT cybersecurity on the people who develop and use them. This adds a set of high-urgency tasks for companies that are already tasked with the safety and well-being of patients. It is unsurprising that experts urge companies to outsource high-level tasks to a company with the expertise to handle them. Alpine Security provides penetration testing services with a focus on IoMT devices. Through extensive experience in ethical hacking and identification of cybersecurity risk, we can relieve HDOs and manufacturers of the necessary burden to review and test all enabled devices, freeing those organizations to focus on patient outcomes. via Tumblr Comprehensive Guide to IoMT Cybersecurity – Risks, Safeguards, and What We Protect O’Fallon, IL, January 2, 2019 - Alpine Security is proud to announce its support for the 2019 Archimedes Medical Device Security 101 Conference. As one of the conference’s top sponsors, Alpine Security hopes to boost awareness of the cybersecurity vulnerabilities currently present within the medical community — and the many opportunities for improving healthcare cybersecurity. Hosted by the University of Michigan’s Archimedes Center for Medical Device Security, this year’s conference will take place in Orlando on January 21st and 22nd. A variety of key industry players are expected to attend, including product engineering directors, clinical facilities engineers, IT security managers, and more. This year’s speakers include Norton Healthcare’s AJ Aspinwall, Royal Philips Healthcare’s Jonathan Bagnall, and Edward Brennan from the Health Information Sharing and Analysis Center (H-ISAC). Support from Alpine Security and other sponsors has been instrumental in allowing these speakers and a variety of other panelists to share their expertise. The team at Alpine Security is well aware of the threats that hacked medical devices pose, both in the medical community and in a variety of other industries and settings. Patients, in particular, are at risk — each United States hospital bed currently possesses between 10 and 15 devices, many of which are connected to the facility’s network. Just one malfunction can prove deadly, especially for high-risk patients for whom every second is of grave importance. As Alpine Security CEO, Christian Espinosa, points out, hospitals are uniquely vulnerable because they are open to the public.
Espinosa warns that hackers can easily find exposed ethernet connections or even hack into the facility’s wireless network while hanging out in the hospital cafeteria. Unfortunately, medical device security remains shockingly minimal at most healthcare facilities. This is where Alpine Security comes into play. In addition to supporting the Archimedes Medical Device Security 101 Conference, Alpine Security does its part to improve healthcare security by providing risk assessment and penetration testing services tailored for medical devices and healthcare environments. Using Alpine Security’s arsenal of penetration testing services, Healthcare Delivery Organizations (HDOs) and medical device manufacturers can more effectively address the risks brought about by modern medical device connectivity. About Alpine SecurityAlpine Security appreciates that every person and organization face an increasing risk of cyber attacks. They aim to use their resources to do something about it. Alpine Security offers a variety of cybersecurity services, including risk assessments, penetration testing, training, audits, and incident response. The company’s team is committed to always remaining a step ahead of today’s tech-savvy hackers. About Archimedes Center for Medical Device SecurityThe Archimedes Center for Medical Device Security was established to help manufacturers and industry experts navigate the operational hazards of cybersecurity implementation and prepare them for future challenges of FDA requirements. Archimedes is an independent, pioneering center focused on the education and advancement of medical device security where key industry players come together for learning in a safe place. via Tumblr Alpine Security Demonstrates Commitment to Medical Device Security by Sponsoring the Archimedes Medical Device Security Conference O’Fallon, IL, January 2, 2019 - Alpine Security is proud to announce its support for the 2019 Archimedes Medical Device Security 101 Conference. As one of the conference’s top sponsors, Alpine Security hopes to boost awareness of the cybersecurity vulnerabilities currently present within the medical community — and the many opportunities for improving healthcare cybersecurity. Hosted by the University of Michigan’s Archimedes Center for Medical Device Security, this year’s conference will take place in Orlando on January 21st and 22nd. A variety of key industry players are expected to attend, including product engineering directors, clinical facilities engineers, IT security managers, and more. This year’s speakers include Norton Healthcare’s AJ Aspinwall, Royal Philips Healthcare’s Jonathan Bagnall, and Edward Brennan from the Health Information Sharing and Analysis Center (H-ISAC). Support from Alpine Security and other sponsors has been instrumental in allowing these speakers and a variety of other panelists to share their expertise. The team at Alpine Security is well aware of the threats that hacked medical devices pose, both in the medical community and in a variety of other industries and settings. Patients, in particular, are at risk — each United States hospital bed currently possesses between 10 and 15 devices, many of which are connected to the facility’s network. Just one malfunction can prove deadly, especially for high-risk patients for whom every second is of grave importance. As Alpine Security CEO, Christian Espinosa, points out, hospitals are uniquely vulnerable because they are open to the public.
Espinosa warns that hackers can easily find exposed ethernet connections or even hack into the facility’s wireless network while hanging out in the hospital cafeteria. Unfortunately, medical device security remains shockingly minimal at most healthcare facilities. This is where Alpine Security comes into play. In addition to supporting the Archimedes Medical Device Security 101 Conference, Alpine Security does its part to improve healthcare security by providing risk assessment and penetration testing services tailored for medical devices and healthcare environments. Using Alpine Security’s arsenal of penetration testing services, Healthcare Delivery Organizations (HDOs) and medical device manufacturers can more effectively address the risks brought about by modern medical device connectivity. About Alpine SecurityAlpine Security appreciates that every person and organization face an increasing risk of cyber attacks. They aim to use their resources to do something about it. Alpine Security offers a variety of cybersecurity services, including risk assessments, penetration testing, training, audits, and incident response. The company’s team is committed to always remaining a step ahead of today’s tech-savvy hackers. About Archimedes Center for Medical Device SecurityThe Archimedes Center for Medical Device Security was established to help manufacturers and industry experts navigate the operational hazards of cybersecurity implementation and prepare them for future challenges of FDA requirements. Archimedes is an independent, pioneering center focused on the education and advancement of medical device security where key industry players come together for learning in a safe place. via Tumblr Alpine Security Demonstrates Commitment to Medical Device Security by Sponsoring the Archimedes Medical Device Security Conference Data breaches arguably constitute the gravest risk modern businesses face. According to an alarming report from the insurance company Hiscox, 70 percent of organizations are inadequately prepared for cyberattacks. This is particularly concerning in light of the multi-million, even billion dollar damages that can result from breaches. Already, far too many businesses have suffered devastating attacks; 45 percent of Hiscox’s poll respondents admitted to suffering at least one cyberattack in the past year, with many suffering two or more attacks. At the small to midsize business level, cyberattacks aren’t merely annoying — they can spell certain doom for those already struggling to get by. Hence the need for robust security protocol. That’s exactly what the Center for Internet Security provides with its Top 20 list of Critical Security Controls. While these controls have been in the making for well over a decade, they’ve recently gained greater prominence at the federal and state level — and among private entities. Below, we offer an in-depth overview of this critical security tool, as well as suggestions for implementation: What Are the CIS Top 20 Critical Security Controls?The Center for Internet Security maintains detailed guidelines outlining prioritized actions known as critical security controls (CSCs). The goal is to proactively and effectively address security threats, thereby minimizing the potential for future data breaches. While any organization can benefit from implementing these controls, they are particularly valuable for those that currently lack robust security protocol. The CSC provide an accessible means of implementing security features while paving the path to a fully-fleshed compliance framework. A Brief History of the CIS Top 20 CSCBefore diving in to explore specific controls, it helps to gain a broader understanding of how they came to be. They were initially developed in response to a 2008 request from the Office of the Secretary of Defense, in which assistance was sought from the National Security Agency. At the time, the NSA best understood the nature of cyber attacks — and how to combat them. Then, the White House maintained the following cybersecurity mantra: “Offense must inform defense.” By the time the aforementioned request was made of the NSA, the agency had already compiled and refined a list of effective security controls dating back to the early 2000s. These controls were originally prompted by military requests. While the initial list was limited to official use, the NSA eventually agreed to share its compiled cybersecurity information in hopes of helping other government agencies improve their security protocol. Upon validation by the U.S. State Department, the CIS Top 20 was found to align closely with thousands of documented attacks suffered at the federal level. In an effort to address significant security weaknesses, the State Department made integration of the CIS standards a clear priority. The effort was an undeniable success; the State Department achieved an impressive 88 percent reduction in risk across tens of thousands of systems. As a result, the CIS standards quickly became the blueprint of choice not only for other federal organizations, but also in the private sector. Today, the CIS Top 20 controls are maintained and updated by a vast team of volunteers, including experts from every segment of the cyber ecosystem. Expert volunteers include auditors, threat analysts, policy-makers, users, and more. They come from a wide array of sectors, including everything from transportation to defense. Their feedback ensures that the controls remain not only effective for protecting against a range of security threats, but also accessible, scalable, and easy to implement for a broad spectrum of businesses and organizations. Defining the Basic Controls (Top 6)Basic CIS Controls (click to enlarge) The first six controls outlined by the CIS are often referred to as the ‘basic controls.’ While all of the outlined controls in the Top 20 are valuable, the basic CIS controls would ideally be implemented by all organizations seeking to ready themselves for future cyber attacks. Basic controls include the following: #1 Inventory of Authorized and Unauthorized HardwareIt is imperative that organizations track all network devices — without a detailed inventory, it is virtually impossible to provide adequate protection. Successful application of the CIS first control is the foundation on which all other CIS controls rely. Putting this control into practice means identifying all relevant devices and maintaining a current inventory. This can be a huge undertaking; experts at CIS recommend using active scanning tools and other automated procedures. #2 Inventory of Authorized and Unauthorized SoftwareThis control references the need for active management of all network software to ensure that only authorized software is installed — and to quickly detect and deal with any unauthorized software that finds its way into managed networks. Cybercriminals regard organizations with vulnerable software as easy targets. Organizations that identify all existing software and develop approved whitelists improve visibility and may even see considerable savings as they discard unnecessary programs. #3 Continuous Vulnerability ManagementFrom software updates and patches to threat bulletins, ample opportunities exist for attackers to take advantage of new vulnerabilities — even among systems initially designed to be secure. As new vulnerabilities are reported, would-be attackers race to exploit these gaps. Without continuous scanning, organizations risk falling behind — a huge threat given the common knowledge that time is of the essence in the event of an attack. #4 Controlled Use of Administrative PrivilegesAttackers commonly rely on administrative privileges to carry out harmful actions within targeted enterprises. While most employees are aware of such efforts, even notoriously vigilant individuals can fall victim to scams. Common examples include opening files from malicious sites, downloading problematic attachments, or even merely visiting websites capable of exploiting users. One of the easiest to implement — and yet most effective — controls available, this step involves separating administrative accounts from personal internet activity. Additionally, systems should be configured for log entries and alerts. #5 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersAccessibility often plays a key role in modern software adoption — sometimes to the detriment of security. Default accounts and open services can leave organizations and their key players vulnerable. Hence, the need for this basic control, which is especially important in an increasingly BYOD (bring your own device) oriented workplace. Rigorous configuration management is essential if organizations are to keep attackers at bay. #6 Maintenance, Monitoring, and Analysis of Audit LogsWhile the cliche 'an ounce of prevention is worth a pound of cure’ certainly applies to modern cybersecurity efforts, it’s foolish to assume that breaches will never occur. Unfortunately, even organizations with exceptional security protocol sometimes fall victim to cyberattacks. When the worst-case scenario arrives, it’s important to be prepared — not only in the interest of responding quickly and effectively, but also because a detailed understanding of one attack could potentially lead to new protocol to prevent future issues. Foundational and Organizational CIS Controls (click to enlarge) Foundational and Organizational ControlsThe other control categories include foundational controls and organizational controls. These areas can help enterprises shore up their security after they have mastered the basic controls. Without mastery of the basics, however, these additional controls are not likely to serve as a viable security solution. Controls referred to as foundational or organizational include: Foundational CIS Controls7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols, and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches 12. Boundary Defenses 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control Organizational CIS Controls17. Implement a Security Awareness and Training Program 18. Application Security Software 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises While there is clear value in all of the controls included on the Top 20 list, not all controls will prove accessible or applicable in all situations. Nearly all organizations, however, can benefit from implementing the controls identified as 'basic’ by the CIS. Comparing CIS to Other FrameworksThe CIS Top 20 is just one of several security frameworks relied upon by government and private enterprises alike. Other top framework providers include National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) Security Standards Council. While these hold clear value, they can be difficult for small businesses to adopt. The CIS Top 20 serves as an essential stepping stone for those who may feel intimidated by other frameworks or otherwise incapable of implementing them. CIS controls can also be used alongside other frameworks; some companies even use CIS standards to prioritize alternate frameworks. Mandating ControlsPresently, the CIS Top 20 serves as a standard of care for the state of California, where the Attorney General has partnered with CIS to help local businesses follow the protocol outlined in the state's Data Breach Report. While CIS became a key California framework in early 2016, recent changes in the state’s privacy laws have further underscored the importance of adopting CIS controls. Signed into law in 2018 and expected to go into effect in 2020, the California Consumer Privacy Act now supplements the state’s data breach legislation, granting consumers the right to sue if breaches of data occur and businesses do not provide appropriate protection via 'reasonable’ procedures. While the state fails to adequately define 'reasonable’ in the context of the Consumer Privacy Act, it is clear based on previous efforts with the CIS that implementation of, at minimum, the basic six CSCs is expected. While California has clearly set the bar high in terms of mandated internet security protocol, other state and local government entities are beginning to follow suit with similar legislation. Michigan, in particular, has made great strides in terms of encouraging implementation of prominent security frameworks. The 2018 Performance Audit Report from the Michigan Office of the Auditor General referenced NIST Special Publication 800-53 as the bare minimum regarding security controls. In Ohio, the CIS controls are highlighted as one of a few available frameworks with which business cybersecurity practices would ideally conform. While the Ohio Attorney General maintains that the state’s recent adoption of the Data Protection Act does not serve as a minimum cybersecurity standard, it does create a valuable incentive for the local business community to amp up security efforts. In some states, CIS controls are not yet mandated — but they are used heavily by government entities. Success at this level may eventually lead to broader mandates for government organizations and private businesses alike. As CIS experts point out, top users of the CSCs include the states of Arizona, Colorado, and Idaho. In addition to making its mark at the state level, the CIS controls are increasingly utilized in major metropolitan areas, including Oklahoma City, San Diego, and Portland, among others. Success StoriesThe Center for Internet Security offers numerous case studies that demonstrate the ability of various controls to protect against a broad range of security threats. For example, CIS highlights a top banking institution as relying on these controls for gap analysis. The banking institution’s Chief Information Security Officer explains, “If we are not quite meeting the intent of a particular CIS Control, we can identify areas to focus on and improve.” This valuable baseline has allowed the bank to maintain its status as one of the nation’s most secure financial institutions. While the value of the CIS controls is clear in banking and finance, many retailers have yet to adopt appropriate security measures to protect their customers and suppliers. One outdoor retailer, however, is leading the way by engaging in CIS analysis not just once, but twice every year. While the retailer also uses such familiar frameworks as NIST and PCI, a top security analyst for the company explains that the CIS controls provide, by far, the biggest bang for the buck by assisting in prioritization of other frameworks. “We see the real value is in the CIS controls because they are more user-friendly and are a practical, prioritized framework.” In another case study, CIS reveals that Corden Pharma has adopted the CSCs in hopes of meeting diverse security requirements for the company’s range of customers. Manager of IT and Business Systems John Nord explains, “[Corden Pharma] needed a more standardized security program for our company to be able to provide to our customers. The CIS controls fit that need.” Nord adds that, while initially daunting, implementation for the CSCs is not nearly as arduous as NIST framework adoption can be. What Lies Ahead for the CIS Controls?The CIS Top 20 are constantly evolving as new threats arise — and as new technologies become available for keeping these threats at bay. In early 2018, CIS released Version 7, which, as CIS executive Tony Sager explains, “sets the stage for future improvements in measurement, implementation, and alignment with other security frameworks." Although pleased thus far with the rollout of Version 7, companies are already looking ahead to Version 8. With new editions of the CSC released approximately once every three years, Version 8 can most likely be expected in 2021 or 2022. Until then, experts anticipate that states and municipalities will continue to follow California’s lead in prioritizing these security measures and working closely with CIS to ensure the adoption of robust cybersecurity controls. Next Steps for Adopting CIS ControlsRegardless of how the CIS controls evolve in the future, it is important to get a handle on security protocol today. The widely trusted security controls from the CIS can provide a valuable blueprint. Not sure where to start? Alpine Security's Enterprise Security Audit (ESA) service provides valuable insight into your organization’s current security protocol. Closely aligned with the CIS Top 20, this comprehensive assessment offers a holistic approach involving effective controls for cyber defense. Reach out today to discover how Alpine Security can assist your organization in adopting and abiding by the Center for Internet Security’s Top 20 Controls. via Tumblr CIS Controls: A Cybersecurity Blueprint to Prevent Cyber Attacks Data breaches arguably constitute the gravest risk modern businesses face. According to an alarming report from the insurance company Hiscox, 70 percent of organizations are inadequately prepared for cyberattacks. This is particularly concerning in light of the multi-million, even billion dollar damages that can result from breaches. Already, far too many businesses have suffered devastating attacks; 45 percent of Hiscox’s poll respondents admitted to suffering at least one cyberattack in the past year, with many suffering two or more attacks. At the small to midsize business level, cyberattacks aren’t merely annoying — they can spell certain doom for those already struggling to get by. Hence the need for robust security protocol. That’s exactly what the Center for Internet Security provides with its Top 20 list of Critical Security Controls. While these controls have been in the making for well over a decade, they’ve recently gained greater prominence at the federal and state level — and among private entities. Below, we offer an in-depth overview of this critical security tool, as well as suggestions for implementation: What Are the CIS Top 20 Critical Security Controls?The Center for Internet Security maintains detailed guidelines outlining prioritized actions known as critical security controls (CSCs). The goal is to proactively and effectively address security threats, thereby minimizing the potential for future data breaches. While any organization can benefit from implementing these controls, they are particularly valuable for those that currently lack robust security protocol. The CSC provide an accessible means of implementing security features while paving the path to a fully-fleshed compliance framework. A Brief History of the CIS Top 20 CSCBefore diving in to explore specific controls, it helps to gain a broader understanding of how they came to be. They were initially developed in response to a 2008 request from the Office of the Secretary of Defense, in which assistance was sought from the National Security Agency. At the time, the NSA best understood the nature of cyber attacks — and how to combat them. Then, the White House maintained the following cybersecurity mantra: “Offense must inform defense.” By the time the aforementioned request was made of the NSA, the agency had already compiled and refined a list of effective security controls dating back to the early 2000s. These controls were originally prompted by military requests. While the initial list was limited to official use, the NSA eventually agreed to share its compiled cybersecurity information in hopes of helping other government agencies improve their security protocol. Upon validation by the U.S. State Department, the CIS Top 20 was found to align closely with thousands of documented attacks suffered at the federal level. In an effort to address significant security weaknesses, the State Department made integration of the CIS standards a clear priority. The effort was an undeniable success; the State Department achieved an impressive 88 percent reduction in risk across tens of thousands of systems. As a result, the CIS standards quickly became the blueprint of choice not only for other federal organizations, but also in the private sector. Today, the CIS Top 20 controls are maintained and updated by a vast team of volunteers, including experts from every segment of the cyber ecosystem. Expert volunteers include auditors, threat analysts, policy-makers, users, and more. They come from a wide array of sectors, including everything from transportation to defense. Their feedback ensures that the controls remain not only effective for protecting against a range of security threats, but also accessible, scalable, and easy to implement for a broad spectrum of businesses and organizations. Defining the Basic Controls (Top 6)Basic CIS Controls (click to enlarge) The first six controls outlined by the CIS are often referred to as the ‘basic controls.’ While all of the outlined controls in the Top 20 are valuable, the basic CIS controls would ideally be implemented by all organizations seeking to ready themselves for future cyber attacks. Basic controls include the following: #1 Inventory of Authorized and Unauthorized HardwareIt is imperative that organizations track all network devices — without a detailed inventory, it is virtually impossible to provide adequate protection. Successful application of the CIS first control is the foundation on which all other CIS controls rely. Putting this control into practice means identifying all relevant devices and maintaining a current inventory. This can be a huge undertaking; experts at CIS recommend using active scanning tools and other automated procedures. #2 Inventory of Authorized and Unauthorized SoftwareThis control references the need for active management of all network software to ensure that only authorized software is installed — and to quickly detect and deal with any unauthorized software that finds its way into managed networks. Cybercriminals regard organizations with vulnerable software as easy targets. Organizations that identify all existing software and develop approved whitelists improve visibility and may even see considerable savings as they discard unnecessary programs. #3 Continuous Vulnerability ManagementFrom software updates and patches to threat bulletins, ample opportunities exist for attackers to take advantage of new vulnerabilities — even among systems initially designed to be secure. As new vulnerabilities are reported, would-be attackers race to exploit these gaps. Without continuous scanning, organizations risk falling behind — a huge threat given the common knowledge that time is of the essence in the event of an attack. #4 Controlled Use of Administrative PrivilegesAttackers commonly rely on administrative privileges to carry out harmful actions within targeted enterprises. While most employees are aware of such efforts, even notoriously vigilant individuals can fall victim to scams. Common examples include opening files from malicious sites, downloading problematic attachments, or even merely visiting websites capable of exploiting users. One of the easiest to implement — and yet most effective — controls available, this step involves separating administrative accounts from personal internet activity. Additionally, systems should be configured for log entries and alerts. #5 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersAccessibility often plays a key role in modern software adoption — sometimes to the detriment of security. Default accounts and open services can leave organizations and their key players vulnerable. Hence, the need for this basic control, which is especially important in an increasingly BYOD (bring your own device) oriented workplace. Rigorous configuration management is essential if organizations are to keep attackers at bay. #6 Maintenance, Monitoring, and Analysis of Audit LogsWhile the cliche 'an ounce of prevention is worth a pound of cure’ certainly applies to modern cybersecurity efforts, it’s foolish to assume that breaches will never occur. Unfortunately, even organizations with exceptional security protocol sometimes fall victim to cyberattacks. When the worst-case scenario arrives, it’s important to be prepared — not only in the interest of responding quickly and effectively, but also because a detailed understanding of one attack could potentially lead to new protocol to prevent future issues. Foundational and Organizational CIS Controls (click to enlarge) Foundational and Organizational ControlsThe other control categories include foundational controls and organizational controls. These areas can help enterprises shore up their security after they have mastered the basic controls. Without mastery of the basics, however, these additional controls are not likely to serve as a viable security solution. Controls referred to as foundational or organizational include: Foundational CIS Controls7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols, and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches 12. Boundary Defenses 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control Organizational CIS Controls17. Implement a Security Awareness and Training Program 18. Application Security Software 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises While there is clear value in all of the controls included on the Top 20 list, not all controls will prove accessible or applicable in all situations. Nearly all organizations, however, can benefit from implementing the controls identified as 'basic’ by the CIS. Comparing CIS to Other FrameworksThe CIS Top 20 is just one of several security frameworks relied upon by government and private enterprises alike. Other top framework providers include National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) Security Standards Council. While these hold clear value, they can be difficult for small businesses to adopt. The CIS Top 20 serves as an essential stepping stone for those who may feel intimidated by other frameworks or otherwise incapable of implementing them. CIS controls can also be used alongside other frameworks; some companies even use CIS standards to prioritize alternate frameworks. Mandating ControlsPresently, the CIS Top 20 serves as a standard of care for the state of California, where the Attorney General has partnered with CIS to help local businesses follow the protocol outlined in the state's Data Breach Report. While CIS became a key California framework in early 2016, recent changes in the state’s privacy laws have further underscored the importance of adopting CIS controls. Signed into law in 2018 and expected to go into effect in 2020, the California Consumer Privacy Act now supplements the state’s data breach legislation, granting consumers the right to sue if breaches of data occur and businesses do not provide appropriate protection via 'reasonable’ procedures. While the state fails to adequately define 'reasonable’ in the context of the Consumer Privacy Act, it is clear based on previous efforts with the CIS that implementation of, at minimum, the basic six CSCs is expected. While California has clearly set the bar high in terms of mandated internet security protocol, other state and local government entities are beginning to follow suit with similar legislation. Michigan, in particular, has made great strides in terms of encouraging implementation of prominent security frameworks. The 2018 Performance Audit Report from the Michigan Office of the Auditor General referenced NIST Special Publication 800-53 as the bare minimum regarding security controls. In Ohio, the CIS controls are highlighted as one of a few available frameworks with which business cybersecurity practices would ideally conform. While the Ohio Attorney General maintains that the state’s recent adoption of the Data Protection Act does not serve as a minimum cybersecurity standard, it does create a valuable incentive for the local business community to amp up security efforts. In some states, CIS controls are not yet mandated — but they are used heavily by government entities. Success at this level may eventually lead to broader mandates for government organizations and private businesses alike. As CIS experts point out, top users of the CSCs include the states of Arizona, Colorado, and Idaho. In addition to making its mark at the state level, the CIS controls are increasingly utilized in major metropolitan areas, including Oklahoma City, San Diego, and Portland, among others. Success StoriesThe Center for Internet Security offers numerous case studies that demonstrate the ability of various controls to protect against a broad range of security threats. For example, CIS highlights a top banking institution as relying on these controls for gap analysis. The banking institution’s Chief Information Security Officer explains, “If we are not quite meeting the intent of a particular CIS Control, we can identify areas to focus on and improve.” This valuable baseline has allowed the bank to maintain its status as one of the nation’s most secure financial institutions. While the value of the CIS controls is clear in banking and finance, many retailers have yet to adopt appropriate security measures to protect their customers and suppliers. One outdoor retailer, however, is leading the way by engaging in CIS analysis not just once, but twice every year. While the retailer also uses such familiar frameworks as NIST and PCI, a top security analyst for the company explains that the CIS controls provide, by far, the biggest bang for the buck by assisting in prioritization of other frameworks. “We see the real value is in the CIS controls because they are more user-friendly and are a practical, prioritized framework.” In another case study, CIS reveals that Corden Pharma has adopted the CSCs in hopes of meeting diverse security requirements for the company’s range of customers. Manager of IT and Business Systems John Nord explains, “[Corden Pharma] needed a more standardized security program for our company to be able to provide to our customers. The CIS controls fit that need.” Nord adds that, while initially daunting, implementation for the CSCs is not nearly as arduous as NIST framework adoption can be. What Lies Ahead for the CIS Controls?The CIS Top 20 are constantly evolving as new threats arise — and as new technologies become available for keeping these threats at bay. In early 2018, CIS released Version 7, which, as CIS executive Tony Sager explains, “sets the stage for future improvements in measurement, implementation, and alignment with other security frameworks." Although pleased thus far with the rollout of Version 7, companies are already looking ahead to Version 8. With new editions of the CSC released approximately once every three years, Version 8 can most likely be expected in 2021 or 2022. Until then, experts anticipate that states and municipalities will continue to follow California’s lead in prioritizing these security measures and working closely with CIS to ensure the adoption of robust cybersecurity controls. Next Steps for Adopting CIS ControlsRegardless of how the CIS controls evolve in the future, it is important to get a handle on security protocol today. The widely trusted security controls from the CIS can provide a valuable blueprint. Not sure where to start? Alpine Security's Enterprise Security Audit (ESA) service provides valuable insight into your organization’s current security protocol. Closely aligned with the CIS Top 20, this comprehensive assessment offers a holistic approach involving effective controls for cyber defense. Reach out today to discover how Alpine Security can assist your organization in adopting and abiding by the Center for Internet Security’s Top 20 Controls. via Tumblr CIS Controls: A Cybersecurity Blueprint to Prevent Cyber Attacks There is no denying that most people in this world want to avoid feeling uncomfortable as much as possible. The problem with this mindset is that those who fear discomfort and uncertainty are always going to be stuck in the same place. The best way to fail to succeed is to stay in one place for relative comfort. Fear of failure ruins our livesIf you think about it, you will come to the conclusion that our biggest fear is not failure itself. What we truly fear is that other people will see us fail. This is a very common problem and it has no logic behind it. When you fail, you feel like others are going to ridicule you or laugh at you, but no one ever laughs at failure, they may feel bad for you, but they fear failure more than you do, they are completely frozen by fear and they never even try anything new because they would rather stay in their comfort zone. Just imagine how ridiculous it would be for you to give up your goals and dreams because you are afraid of what others will say if you fail. The simple thought of this makes you cringe and it should be more than enough to motivate you to take action. Good things will never happen to youPeople are usually expecting god things to happen to them in life. They say “I’m a good person, I deserve good things, I know things will change” but the problem is that they are just standing on the road of life, while others are standing there with them waiting for good things to come to them. This is a huge problem for many people because they feel entitled to happiness and to success just because they are nice, or because they are honest and decent. Those are not qualities and virtues that give you a free pass to success. The sad truth is that no one has ever achieved success in life by thinking this way. Imagine that you are standing on the road and you see a pot of gold a few miles away, but there are traps and pits all the way through. You are going to be waiting forever if you expect someone else to carry that gold to your location. Anyone that reaches that gold is going to keep it for themselves. They would be willing to share if you also walked towards that gold and took your chances with those traps. The exact same thing happens with everything we want in life. If we don’t start heading in the direction of what we want, there is always going to be someone else willing to take the risk. The point here is that anything you want in like is going to require that you move forward and step out of your comfort zone. Adding value to your journeyThe greatest thing a person can do in life is to add value in their journey to the goals they set for themselves. If your goals include being a competitive and highly valuable asset to any modern business, you will find that cybersecurity training is going to be essential for that purpose. We have classes with official certifications in cybersecurity that will add thousands of dollars of value to your paychecks. Step out of your comfort zone and invest in your future. Take action and move forward on the road to your dreams. Find out how to enroll in our awesome courses to add massive value to your journey to success! via Tumblr The Greatness of Being Uncomfortable |