In lieu of the recent ransomware cyber attacks on critical supply chain assets, Enigma Forensics analyzes two recent cyber attacks and what lessons we have learned.
Cyber attacks on our supply chain. Will it stop? Enigma Forensics is a cyber forensic company and our love for data security keeps us focused on the 4W’s and 1H of a Cyber Attack. Here’s the latest of two very important cyber attacks on our crucial supply chain.
Who was involved? What happened? When? Where? How did it happen?
On May 7, 2021,Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, experienced a ransomware cyberattack. Colonial Pipeline carries gasoline and jet fuel mainly to the Southeastern United States. The cyber attackers impacted computerized equipment managing the pipeline. They took the company offline and wanted a sizable ransom to reverse the cyber attack.
This pipeline disruption caused an immediate reaction. Americans felt a rise in gasoline prices, people were panic buying and there were crazy long lines at the pump. Some areas reported no gasoline at all. What was the company’s response? Colonial Pipeline’s CEO Joseph Blount reported, they learned the criminal cyber attackers infiltrated Colonial’s computers through a legacy or old virtual private network, commonly known as a V.P.N.
Joseph Blount, CEO of Colonial Pipeline paid approximately $5 million in Bitcoin ransom to the attackers. Blount told the Senate Homeland Security Committee at a hearing, paying the ransomware was the hardest decision of his career. Blount said he knew how critical Colonial’s pipeline is to the country and he put the interests of the country first. When asked about the security on the particular VPN that was hacked, Blount said it was not a two-factor security password that texts to a phone but single factor authentication using only a plain text password. He said it was more complicated than the typical Colonial123 password. Lesson learned?
Following the attack on Colonial Pipeline, another ransomware cyber-attack occurred on our supply chain.
JBS Meat Packing Hack (it rhymes!)
JBS is considered to be one of the largest meatpacking companies in the world. At the end of May, they reported cyber criminals used ransomware to take over the company’s network systems and stopped meat production. JBS revealed they made a payment of $11 million to a Russian-speaking ransomware gang called “REvil” to protect JBS meat plants from any further impact on farmers, grocery stores, and restaurants.
Why are we seeing a surge in targeting a crucial supply chain?
There are many contributing factors in the recent wave of hacking attacks. It’s a fact more folks are working from home and lack the cybersecurity necessary to guard against intrusions. Another large contributing factor is that software used to allow bad actors to break into a network system is more sophisticated and readily available. The largest factor is that the United States companies are more globally connected than ever before therefore increasing their exposure to cybercriminals.
Who’s in Charge?
You might be asking who is in charge. It’s the United States Department of Homeland Security (DHS). Its stated missions involve anti-terrorism, border security, immigration and customs, cybersecurity, and disaster prevention and management.
Cyber Security Prevention
June 10, 2021 – The Department of Homeland Security Cybersecurity and Infrastructure Security Agency unveiled guidance for defending against ransomware attacks targeting operational technology assets and control systems, in light of the rise in critical infrastructure attacks.
Will 2021 become the year of heightened cyber security? What will it take for the U.S. Government get their act together? Here we are reported yet another cyber attack that gained entry through a supply chain. 2021 Year of Cyber Security!
As a Cyber Security company, Enigma Forensics is always interested in the 4W’s and 1H of a Cyber Attack. We would be remiss if we didn’t write a post about the most recent SolarWinds Hack allegedly by the Russians. Did the Russians time this cyber attack at precisely the moment in time when the United States is preoccupied? Amidst the Coronavirus shutdowns, the election results, the holidays, and the COVID-19 relief plan, it’s almost as if this particular Russian Hack completely flew under the radar.
The attackers gained entry by using a software update sent out by Texas-based software company SolarWinds, which counts multiple U.S. government agencies as customers. In early December 2020, the news media reported at least 200 organizations, including U.S. government agencies and other companies around the world, have been hacked as part of this suspected Russian cyber attack.
The New York Times reported on December 13, 2020, “The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government almost certainly a Russian intelligence agency, according to federal and private experts — broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.” We can’t find any reporting on what information was stolen.
Who raised the alarm?
It looks like FireEye, a computer security firm first raised the alarm about the Russian cyber attack after its own systems were compromised back in early Spring of 2020. What perfect timing to stage an attack considering the whole country is preoccupied with the rise of the pandemic! FireEye discovered a supply chain attack that was accessed through SolarWinds Orion business software updates in order to distribute malware that they called “SUNBURST.” Experts agree this is the work of highly-skilled actors and was performed with significant operational security. But, the real issue is why didn’t the government cyber protection agencies that are sworn to protect recognize the breach? It took an outside company to inform them of the cyber attack.
Where was the Cyber Attack aimed?
In this case, the U.S. government agencies seemed to be the target. As noted before, the hack was done through what is called a “supply chain attack,” in which malicious code is hidden in legitimate software updates and meant to target third parties. Could it have been the Chinese masquerading as the Russians? President Trump laid claim that there was potential it could have been the Chinese and not the Russians.
When was the Attack Noticed?
As reported by the New York Times, in a statement after a briefing for committee staff members, Senator Ron Wyden of Oregon, who has often been among the sharpest critics of the National Security Agency and other intelligence agencies, said that the Treasury Department had acknowledged that “the agency suffered a serious breach, beginning in July, the full depth of which isn’t known.” But no one will say just how serious the breach was!
Today, as reported in the Hill, the headline reads, “Intel vice chair says government agency cyber attack ‘may have started earlier’.” Sen. Mark Warner (D-Va.), the vice-chairman of the Senate Intelligence Committee, said on Wednesday, December 30, 2020, that the cyberattacks on U.S. government agencies reported at the beginning of the month may have begun earlier than previously believed.
How did the Hackers Hack?
The hackers used malicious code inserted into legitimate software updates for the SolarWinds Orion software. This allowed the hacker to remotely access the victim’s electronic environment. In order to avoid detection, they used a very small footprint and went to significant lengths to lay low and blend in. Very stealth-like in nature! The malware attacked slowly and moved with precision, covering its tracks and using tools that were hard to detect. Does this sound familiar?
Check out another Enigma Blog
Related Articles – Recent North Korean Hack on Google
Phishing, Ransomware, Endpoint Security, IoT Devices and Cloud Jacking. What do they have in common? Top Five Cyber Attacks we are concerned about and you should be too!
The frequency of cyberattacks is growing. The following is Enigma Forensics’ top five cyber attacks that you should be made aware of.
Phishing Attacks are specific forms of email or text messages that are targeting victims to gain access to their personal information. Phishing messages often try to induce the receiver to click a link to a package shipment delivery message or other seemingly legitimate hyperlinks. It acts like a harmless or subtle email designed to get victims to supply login credentials that often become harvested by the attacker for later use in efforts to compromise their target. Sometimes phishing emails spoof the sender to be someone who has already been compromised. Once compromised, often times the compromised user’s mailbox is used to relay other outbound messages to known individuals in their saved contacts. This form of attack earned its name because it masquerades as an email of someone you may know and because you know the sender, you are more likely to nonchalantly open the email and click on the attachment to learn more about the content. With a click of a mouse, BOOM you can be compromised. This is a very easy and effective scam for cybercriminals. Warning: Do not open attachments or forward chain emails!
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge. The cybercriminal then holds the stolen information for ransom, thus the name! They may ask for a ransom payment in the form of digital currency such as bitcoin. Whether or not the victim pays the ransom depends on what information they have stolen or what criminals have threatened to do with the stolen information. Warning: Do not visit unsecured sites!
Remote Worker Endpoint Cyber attacks are currently the most popular because of the number of employees working from home caused by the Coronavirus. In the month of March, many workers were sent scurrying to their homes without companies placing proper cyber protection protocols. Employees are using their personal devices to conduct work and often are not fully patched, updated, and using encryption to protect their home devices against cybercriminals. Many company executives have been targeted at their homes, where they are much less likely to have commercial-grade firewalls designed to protect endpoints and company trade secrets.
IoT Devices attacks are a popular vehicle used by cybercriminals to establish a beachhead for launching lateral attacks across a home or work network. IoT devices involve extending internet connectivity beyond standard devices, such as desktops, laptops, smartphones, and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the internet. They can also be remotely monitored and controlled. IoT Devices should be segmented and on a different network than corporate work from home devices. IoT devices pose a great threat because many of these devices lack automatic update processes and can become a beachhead for cybercriminal attacks in your home.
Cloud Jacking will increase with an estimated growth of cloud computing to be a $266.4 billion dollar industry in 2020. The idea of cloud storage makes one believe it is an improved option rather than the traditional on-premise computing storage. This will and has become a major security concern and has created a strong urgency to increase the creation of cloud security measures. Cybercriminals will up their game and cloud jack data information whenever possible. The race in on to see who does it cloud security better; the good guys or the bad guys. To protect against Cloud Jacking cyber attacks, organizations should enable two-factor authentication options, such as Google authenticator.
Two-factor authentication requires two of the three following means of authentication:
Something you know (A password)
Something you have (A key fob or cell phone authenticator)
Something you are (Retina Scan, Facial recognition, fingerprint)
How can we put an end to this protest? Cell phone forensics is the key to finding out who is organizing violent protests and looting by checking social media sites. It’s that simple!
Chicago Police Superintendent David Brown recognizes social media contributed to the rise in looting
Is Cell Phone Forensics the key to ending the looting? Chicago is reeling back from the third day of unrest and violent protest. Not only are we healing from a global pandemic we are now faced with the threat of violence in all of our neighborhoods. On Monday, we witnessed the third day of violent protest. It was reported that law enforcement arrested approximately 699 people and sadly, 2 people who were shot and killed in Cicero. Feelings of anger, frustration and despair are common threads that bind all of us. The question on everyone’s mind is when is all this going to stop? The Chicago Police department is dealing with a great deal; protecting the neighborhoods and at the same charged with stopping violence. The same violence that was started by a deadly police action.
Many have heard on mobile scanners that hundreds of people driving in caravans are traveling into the city from outside Chicago. Some believe these caravans are organized on social media and are encouraging violent protest and looting. Forensic technology can stop this type of organized violent protest. Once a bad actor has been apprehended, law enforcement needs to perform remote cell phone forensic analytics to discover social media posts, connect friends and followers to thwart passing of information. This is a new age of technology and our police department needs to be able to trace violent networks of people to respond in real time as to prevent personal attacks an property damage.
Enigma Forensics is an expert cyber forensic company that offers forensic imaging of cell phone, laptop and other electronic devices. We are able to analyze the electronic footprint left behind and provide detailed tracing to assist in litigation.
More about expert technology and cell phone forensics
Issues when working from home are bubbling up. Are you working from the dining room table on important company information? We discuss the importance of forming a work from home policy.
We have reached a new era of remote business at levels few companies ever planned for. We all know, COVID-19 has driven businesses and their employees to operate from makeshift home offices. As a result, many issues when working from home have been exposed. In some of our past blogs, Enigma Forensics has provided insight to trade secret theft and given direction on how to protect company trade secrets from cyber attacks. In this blog we will address the current issues that have risen since we are all working from home.
First and foremost, the mass exodus from the business office to the home office was done at the flip of a switch. Working from home took many companies by surprise, sending employees home expecting this to be a short period of time. Most companies didn’t have time to prepare a proper security plan. In an effort to offer more accessibility to their employees some companies loosened their security standards to allow faster and more convenient access for employees. Some encouraged employees to use their own personal devices. These procedures have increased the risks that companies will be cyber attacked and offer opportunities for trade secret theft and loss of business confidential information. To lessen these possibilities companies must develop policies that address the risks.
Enigma Forensics suggests creating a work from home policy to inform employees of their obligations. Companies need to communicate how important it is to stay secure and that the future of the company depends on it. Employers must insist each employee maintain a two-factor authentication process to secure sensitive information. Each employer must restrict unauthorized access to company data. In other words, keep the kids off the company’s computer. It’s also imperative to prohibit the use of unauthorized third party cloud storage sites, and to make sure to apply security software to protect company data. Most importantly, no sharing of company devices.
Some more simple procedures companies can implement to protect their end points include:
Ensure endpoints have patch software and security updates applied monthly
Audit and enable Windows Defender or other Antivirus Solutions to protect end points
Ensure computers accessing company data are set to auto lock after five minutes of intactivity
Provide employees with dedicated work only equipment
Audit and ensure satellite workers have a firewall protecting their endpoints from potential attackers
Kids at home with not much to do may be interested in installing the latest video game on your computer which could introduce security vulnerabilities at home.
Enigma Forensics also suggests developing an inventory of what employee has access to which files. Know who is printing confidential information, and identify if family members have access to the same devices. Once all this is mapped out, a risk assessment needs to be conducted. Identify which employees have access to sensitive information should be prioritized and secured appropriately.
Eventually we will all be back working in the office but COVID-19 has exposed the need to increase security and to learn more about how your employees are utilizing company owned devices.
To Learn More About Trade Secret Theft Check out our blog below
Secure Cloud Data! Large organizations buy cloud services that provide storage on servers and other devices and connect with computer networking equipment throughout the world. So, how are they securing the data? Experts Lee Neubecker and John Blair say start with knowing what data is being stored.
What steps do organizations need to take when securing data in the Cloud?
The Cloud is digital storage that is physically secured and stored on big servers owned by big companies and made accessible through the internet. These big companies are connected with other computer networking equipment throughout the world. Does this sound too big to secure? Experts say there’s no time like today to understand where your data is stored and how it’s secured.
Today on the “The Lee Show”, Forensic Expert, Lee, and his guest John Blair who is cyber governance and information technology expert, explores the complexities of cloud-based security and storage. John suggests starting with obtaining a holistic inventory of your organization’s data and most of all be aware that some employees bring their own applications and use their own personal device to store organizational data. Check out this video on securing data in the cloud to learn more about cloud storage and cyber risk.
Part 1 of our 2-Part Series on the Securing Data in the Cloud
The Video Transcripts on Securing Data in the Cloud follows
Lee Neubecker: Hi, I’m here today with John Blair. John is a cyber governance and information technology expert. He’s on the show here today with me to talk a little bit about securing your data in the cloud. Thanks for being on the show again, John.
John Blair: Hi Lee, good to be back, thank you.
LN: So we’re talking about cloud cyber risk. What do organizations need to be looking at to help secure their data in the cloud?
JB: I think first and foremost, you need to understand where is all the data and how do people get data in and out of their environment? There’s a lot of things typically called Shadow IT, where certain departments or certain users might you know, for example, start sending things to Dropbox to sync data amongst themselves to make it easier for themselves. But they might be syncing confidential information that’s not on Dropbox and the organization has no idea about it. You know, that scenario plays itself out over and over and over again, where there might be departments that actually use applications in the cloud that thus obviously, are processing data as well that the organization might not know about either. So you need to get an inventory of data. Where is it from a holistic point of view?
LN: And today you have the Bring Your Own Cloud, BYOC,
LN: Many employees are bringing various apps with them that they’re used to using from their prior employers, and they’re wanting to use these apps. Sometimes they’re putting them on their smartphones and whatnot.
JB: And that’s driving a lot of the corporate action towards that. The cloud for first and foremost is a cost-savings for the most part. But what people are not realizing is that along with those savings comes certain responsibilities. And, from a user perspective, you know, people are used to as you said, people are used to certain applications, they’re used to certain things on their phone, or on a tablet or they’re used to working in a certain way with certain applications. And then you get in a corporate environment and those applications or that way of working might not be available. And so people start voicing that, and it becomes, you know, somewhat of a problem for corporate to adapt and keep up.
LN: So organizations, especially healthcare-related organizations, as well as financial services and other organizations that depend on intellectual property have a real risk here, don’t they with people bringing apps?
JB: They have a very big risk. Both of those sectors are heavily regulated. Data needs to be very tightly controlled. Breach notifications in the event that it happens become a very big deal, very public. And if you can’t explain where the date is, and where you know, who has it, then you have a problem.
LN: So isn’t there also risk not only faster dissemination of intellectual property and trade secrets, but what if the information becomes compromised by malware or a hacker to morph the data or destroy the data?
JB: Yeah, your only recourse at that point is to have really, really good backups. Because otherwise, you have no actionable direction to take. If you don’t have a backup of that data, you know, you have no ability to recover. It still might be considered a breach, a lot of times, and certain organizations or certain regulations. So you still might have to report it, even though the data has never left your organization, the fact you’ve lost control of it might be considered a breach. So that might be something you’d have to consider with your legal teams. But it’s not, it’s still a very big deal because you no longer are able to use it.
LN: So don’t you have a risk though, that if your backup is online, that the attacker could compromise your primary source and then your backup drive attached to your server?
JB: Well, hopefully, they haven’t gotten that far. But if generally speaking, your backups are always in the separate physical location, and not necessarily on the network.
LN: So you rotate them?
JB: and they’re separate, you know, media and things like that, but yeah, if you’ve gotten to the point where they’ve corrupted your database, they’ve encrypted your database, and they’ve also encrypted or destroyed your backups, you’re, in a very bad way.
LN: So knowing that hard drives sometimes fail, if you’re using a physical hard drive to write the data to, what do you think most organizations should be doing to ensure they have a certain number of versions that they can restore to?
JB: Well, normally backup systems are version controlled and so you do backups based on frequency. You do daily, you do hourly, you do you know, on the spot, so there point in time, a lot of times where there’s a lot of people, organizations, that can afford it have failover data centers, for example, that are mimicking the primary data center. So there is no loss of processing. but that’s very, very expensive to do. But yeah, you should definitely have you know, off-site storage of data. But those are all historical, and things that are not necessarily online that you can immediately refer to those lesser compromised to your point. LN: So when you’re considering bringing in a cloud provider to your organization, is it an official, non-shadow ware operation? What are some of the questions you ask of your vendors and things that you look for to help secure, ensuring those cloud providers are secure?
JB: Right. First and foremost, do they have some sort of testations with respect to the services you’re going to use for that provider? Cloud providers have hundreds and hundreds of services, not all of them are audited by an independent auditor, not that that guarantees anything, but at least if it’s the services you’re going to use or the applications you’re going to use. or the locations you’re going to use with that cloud provider, then you have something to point to say, you know, we did our due diligence, and they have these SOC 2’s or whatever form it might take. But you have to do something on them to ensure that, because the cloud is half their responsibility and half of yours, and you have to make sure they’re doing their half.
LN: So what other things do you think that organization should look for if they’re using data in the cloud, how to maximize the security of that data?
JB: First and foremost, I think they need to within their own organization, block these drop boxes and the Google drives and all that sort of stuff like that, so that people individually can’t make you know, downloads for example, from the database and then upload it to Dropbox or Google Drive or whatever, and then go home and look at the same documents. You know, from a personal perspective, that’s very convenient, it’s very nice to have to be able to sync and you know, you can use one, one central source of the information, but from a corporate perspective, that isn’t your data. It’s a corporation’s data. And so, you know, the corporation needs to be responsible and know where that data is going, and how to prevent it ideally, from getting there. It’s very easy to drop, you know, to block Dropbox at a network level, you know, but the problem is that there are hundreds of those types of things to block. And so you know, you need to do a lot more care from a corporate perspective internally to make sure that your users aren’t putting data someplace where you lose control of it.
LN: And are there any, any other things that you’d recommend adopting if you’re going to use these cloud platforms to help ensure that hackers don’t get access to user accounts?
JB: That’s an interesting one because as yours been, you know, almost all those user accounts have been hacked at one point or another. And so the only thing protecting me at this point is a password. I think multi factors in you know, bio authentication type of actions are the only thing you can do to improve your chances of those accounts not being used by inappropriate people. Because the accounts themselves are basically public knowledge, you know. Your, you know, your username is public knowledge, the only thing protecting it is a password.
LN: And so, you know, the multi-factor authentication actually addresses and requires that you have to have three factors. Something you know, something you are, or something you have.
LN: So, for instance, many people know their password. They might have a thumbprint or they might have their cell phone.
LN: That is something that they have. So you know, having that second factor makes it less likely that someone can simply get the password and get in.
JB: Right, where they send like to your point the phone, they send a code to your phone, you enter the code into the application–
JB: And then you gain access. Until then you’re simply at the network border.
LN: So on our next video, we’re going to be talking a little bit more about, again about the cloud, cyber risk security and specifically we’ll talk about some of the legal and compliance issues that arise. Thanks for being on the show.
JB: Thanks, Lee. My pleasure.
Other related articles about securing data
National Institute of Standards and Technology on Securing Data in the Cloud
What are some of the potential problems for an organization trying to secure Windows 7? Cyber Security Experts Lee Neubecker and Atahan Bozdag say it’s analogous to owning a home and not maintaining it, eventually something breaks and it’ll cost you a fortune to fix!
Securing Windows 7 Environments
On January 14, 2020, Microsoft announced support for Windows 7 has ended. As reported by Microsoft, “Technical assistance and software updates from Windows Update that help protect your PC are no longer available for the product. Microsoft strongly recommends that you move to Windows 10 to avoid a situation where you need service or support that is no longer available.” It’s official…it’s the end of Windows 7! We have to end our love affair with Windows 7 and move onto Windows 10. What does that mean for the end-user? Well, if you stay on Windows 7, you will deal with constant security threats, and there will be no more updates or support. If you upgrade it’ll cost you approximately $139 for a home computer, $199 for a small to large business and $309 to upgrade a workstation that needs a faster powerful operating system.
Cyber Security & Computer Forensic Expert Lee Neubecker and “Fellow Forensicator” Atahan Bodzdag break down what impact is imposed on cyber security when computers no longer receive service patch updates or support for Windows 7. They discuss the usage of Windows 7 by the Health Care organizations that are resistant to change or have application that have not been ported to work with Windows 10.
Atahan Bodzdag provides an overview of top three items that all organizations dependent on Windows 7 should be undertaking to maintain cyber security resilience.
Window 7 Security Vulnerabilities
The Video Transcript Follows
Lee Neubecker: Hi, I’m here today with Adahan Bozdag. Thank you for being on the show Adahan.
Atahan Bozdag: Thank you for inviting me, Lee.
LN: Atahan is a fellow forensicator and cybersecurity expert. He works within the healthcare sector and works internally to an organization, doing some of the things I do as an expert witness outside an organization. And today we’re going to be talking about Windows 7, the end of the life cycle of Windows 7, and some of the cybersecurity issues relating to organizations that are in Windows 7 and are trying to prevent future data breaches. So, Adahan, could you tell everyone a little bit about what Microsoft did recently as it relates to Windows 7?
AB: Well, as you said, Windows 7 end of life cycle happened. It’s was January 14, 2020. They stop patching Windows 7 environment, so it is vulnerable to any attack after the date. January 14, 2020.
LN: So then when people report their CVEs, detailing vulnerabilities on Windows 7, eventually they’re up there for the hacker world to see. and to exploit because Microsoft’s not patching that operating system.
AB: Very true. It’s a dream come true for the hackers.
LN: Yeah, well, no more data patches means what exactly?
AB: It means that you are more vulnerable to attacks.
LN: So every day the risk of cyber compromise only grows for organizations still on Windows 7.
AB: Very true.
LN: So, what is for the non-technical person out there, could you explain what this is analogous to?
AB: Well, I can give you the house analogy. You buy a house and you don’t do any upgrades. You don’t do any maintenance. Something is going to break. So this is what’s going to happen with Windows 7. Because there’s no more patch, there are no more updates, there’s no more security involved in it. At one point if you still continue using it, you will get breached.
LN: So, it’s kind of like your locks start to fall off the door at a particular time
AB: Exactly, exactly.
LN: And if you consider the contents of a health care provider, to have sensitive data like patient medical records, electronic medical records, protected health care information, or PII, all of that stuff is vulnerable to exfiltration?
AB: Yes, very, yes.
LN: So, why are people still using Windows 7, given this threat?
AB: Well, some applications are not upgraded to work with Windows 10, and what happens. So then a lot of people working in the corporate environment are resistant to change because the applications are not working with Windows 10. So those,
LN: Or they just like the cleanness of Windows 7, relative to Windows 10, which
LN: It has a lot of bloatware loaded on it if you’re getting the version off the shelf.
AB: True, true.
LN: Who really needs to have all these games on their environment?
AB: Exactly. But at the same time, every healthcare company that, you know, even my company that I’m working for, we have a golden image that we create, which are stripped down from all those games and stuff like that. So we don’t use those. But, to get there, there is always an image needs to be updated in Windows 10.
LN: So what are some of the potential problems for the organization that stays on Windows 7 and just doesn’t get with the program to migrate off?
AB: Well, first thing is, APT.
LN: What’s an APT?
AB: APT is an Advanced Persistent Threat.
LN: That’s like that nation-state, Big Brother lurking on the chips of the computer device, waiting for a moment to attack, right?
AB: They can infiltrate you. They can do nothing, just sit and wait, and look at your data. And we have seen that in many breaches. The time that you found out that the company was breached, they’ve been in the system for more than six, seven months. So they were collecting data slowly by slowly, and at one point they turned the engine on, and then the doomsday attack starts. Suddenly you start losing data. Deletion happens and then, they grab everything out from your system.
LN: “So there’ ve been a lot of nation-states making threats.
AB: Oh, very much so.
LN: This could be a huge opportunity for certain nation-states to get themselves onto hackable systems and merely wait until the opportune time to strike is such that they could magnify the damage.
LN: We have a power outage,
LN: And they were to strike at that time, that would probably magnify the damage significantly.
AB: Very, very much. And now you’ve been talking about those in your other videos about these kinds of things. The cyber realm is another way of attacking our national interests. Health care is one of them.
LN: So let’s assume that an APT gets into a health care environment, health care provider’s systems, and they’re able to access electronic medical records, EMR, patient health care information, what might they want to do with that information?
AB: Well, patient records, especially the names, social security numbers, medical records, everything is sellable in the Darkweb.
LN: And it’s worth a lot more than just giving social security numbers.
AB: It is. True. It’s like a single record may go for $35. If you got about 10,000 records, 10,000 records times about $35.
LN: It’s likewise though, that data exfiltrates, and it gets out there in the market, the health care providers are looking at potentially significant financial damages, as well as reputational damage.
AB: Yes, yes. Because when these things happen, suddenly you have to report this either to the government or to the media. And then afterward the penalties will come. And investigations cost a lot of money. Penalties are really severe And doing all of these things, and if you’re still in the Windows 7 environment you’re actually opening yourself to these kinds of attacks.
LN: Yeah so, when these data incidents happen, as you like to call them, what do you see the role of internal IT investigations versus an outside computer forensic firm like myself specializes in data breaches and EMR. What is the typical role and function of the internal versus the outside expert witness?
AB: Internal it’s you know like myself, we do the investigation internally but we would love to hire, I mean we would like to hire an outside investigation, to give unbiased information. Saying that if you go to the legal ways that you will be able to say that hey, I’m not involved with this company I’m doing this…
LN: Sometimes, there’s benefit to having an outside forensic expert that’s independent speak only to the issues that are relevant and not necessarily have a knowledge of who was in IT that got fired or any of that other stuff that isn’t really relevant to the investigation but could create risk for the health care provider.
AB: True. True.
LN: So with regard to reporting obligations, let’s say you find that there was indeed exfiltration of patient data and that information left the organization, what are the reporting obligations?
AB: Well the best way that I can tell right now is if you were at the hhs.gov or consult your attorney it will actually tell you especially the website, will tell you what are the reporting obligations. There are multiple levels. If I go into details over here, it’s not going to last.
LN: Got it. And so, we talked about exfiltration but what can happen if someone gets in and actually deletes patient medical records?
AB: Well, the first thing is in hospital systems that patient who’s going to be either going into surgery or something like that, they will not be able to get, pull out the data.
LN: And so people who have a need for critical life-saving care, might actually die.
LN: Or worse yet, if someone were to alter the medical records
AB: That is a threat
LN: And say instead of your left lung having cancer it’s your right lung and you get the wrong lung removed, that’s a real problem
AB: It’s a big problem.
LN: So if you have to say, wrap it up what would be the top three recommendations you make to health care organizations to help defend against the potential future data breach that’s from running Windows 7?
Top 3 Measures to Defend Windows 7
First is implementing operate plan to leave Windows 7, immediately. That’s a given fact.
Second, isolate Windows 7 legacy into VDIs which we call the Virtual Desktop Environments. Isolate them from the network.
And the third, make sure that your disaster recovery is in place and you do periodic tabletop exercises.
LN: Well thanks so much, that was really informative. I appreciate you coming on the show.
A cardiac pacemaker is a lifesaver for many and is considered an implantable medical device. The FDA imposes regulations to protect these devices. Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine FDA Quality System Regulations, ISO standards, and FDA guidelines used by Sterling Medical Devices that are essential to the manufacturing practices.
FDA Cybersecurity regulations in medical devices is a tough topic! Consider the cardiac pacemaker, probably the most notable life-saving implantable medical device. Did you know that it is operated by a computer chip? Just like any other computer they can be vulnerable to cybersecurity breaches.
Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine the FDA’s Cybersecurity quality system regulations, ISO standards, and guidelines followed by Sterling Medical Devices to ensure cybersecurity for all their devices.
Tune in to Part 2 of our 3 Part Series on Medical Devices
The FDA Cybersecurity Regulations: Medical Devices Video Transcript Follows.
Lee Neubecker (LN): Hi, I’m back on the show today with Keith Handler, Keith, thanks for being back on.
Keith Handler (KH): Thanks again for having me.
LN: And Keith, again, is from Sterling Medical Devices, and today we’re going to talk about what measures are in place, that the FDA imposes to help ensure cybersecurity on medical devices, especially safety of PHI, and safety of the operation of those devices for end-users. Thanks again for being here.
KH: Yeah, thanks for having me. So, cybersecurity. It’s a tough topic, and the FDA is still figuring out how exactly to deal with it. They have issued guidance that attempts to categorize how high the risk is of cybersecurity for a device and the basic standards you need to follow in designing, and testing, and documenting your processes for developing that device. That guidance is currently how we generally implement most of our analysis processes and controls. The FDA has chosen to recognize certain certifications, such as UL 2100-1-2.
LN: And what is UL 2100-1?
KH: 2100-1 is a certification for network-connected systems, as far as cybersecurity is concerned, and 2100-1-2 is a subset of that standard, specifically for medical devices connected to the internet or a network. Mostly that standard follows the 2100-1, with a couple of modifications, based on the fact that medical is safety-related.
LN: Have you seen any changes in the standard since the WannaCry attack that took out a lot of the UK hospitals?
KH: Nothing that I can point to specifically. You know, that really comes down to changing specific vulnerabilities, our knowledge about them, and the attack vectors that we know that are capable of executing these things, cataloging them, making sure that we plan for them in future designs.
LN: So I know Bluetooth is a protocol that’s vulnerable to exploitation. I think at one point in time, there was a warning that everyone should take their pacemaker and get it updated. Were you familiar with that?
LN: Can you tell people a little bit more about what happened?
KH: Yeah, well, in that specific case, I’m not actually 100% sure what occurred there, but most of the time your issues are, with a lack of authentication, a lack of encryption, you need to be sure that what the device is talking to on the other end is exactly who they expect it to be, what they expect it to be, and you have to make sure that that communication is secured and unchanged, unaltered. Typically, that’s done by using specific security libraries, integrating them in careful ways, making sure that all communication over the wire is encrypted, things like an asynchronous key generation.
LN: I think, just from my memory of events, one of the problems they discovered is that these protocols, there’s a period of time before authentication occurs, in the preamble when there’s broadcast of the Mac address, the wireless name, and whatnot, where there’s a potential to create an overflow situation, to actually compromise a device before encryption and authentication occurs.
KH: Yes, in certain system designs it is that way.
LN: And, unfortunately, these protocols are, you know, they’re everywhere. So, at the time, I believe that the chip makers and various equipment providers, not just only in the medical area, but across the board, had to create fixes that help protect against these types of cyber-attacks.
LN: So, you were talking about UL 2100-1-2, what about TIR57? Can you explain what that is?
KH: So, AAMI TIR57 describes how to marry up the processes of medical safety risk analysis and security analysis. It’s an attempt to show that the security analysis process is actually very similar and very familiar for anybody that’s done the safety risk analysis before. More of less, it takes ISO 14971 and applies security risk management to it with a mix of a little bit of some NIST standards in as well. But the general idea is to really categorize what assets you’re protecting in your system, and the known vulnerabilities that your system has, and then from there, you attempt to determine a list of known attack vectors and categorize the profiles of your possible attackers. With a combination of that type of information, you can assess what the real vulnerabilities and risks are for your system, and design in controls, from the ground up, to make sure that you’ve protected against them.
LN: Yeah, well, this is really fascinating stuff. I appreciate you being on the show, and I look forward to our next segment talking more about cybersecurity and how to keep these devices safe.
KH: Thanks again for having me, Lee.
Don’t Miss Part 1 of this 3-Part Series on Medical Devices
Chicago Tribune reported, “US says Chinese military behind Equifax breach that stole Americans’ personal data” Data Breach Response Experts Lee Neubecker and Kari Rollins say “Data Breach is inevitable!” They give us advice on how to prepare.
Sedona Conference Incident Response Guide
It is not a question of if you will fall victim to a Data Breach incident, it is when. Organizations large and small need to be ready for when cybercrime strikes. Data Breach Response Experts Lee Neubecker and Kari Rollins know how to prepare for a data breach without breaking the bank. Kari is a partner in the Intellectual Property Practice Group for Sheppard Mullin in New York, and also a member of the Sedona Conference, Working 11 group. Kari describes the Sedona Working 11 as a group of Cyber Breach Experts who design tools and how-to resources that are available to the general public through the Sedona Conference website. The Sedona Conference is a nonprofit research and educational institute that brings together jurists, lawyers, experts, and academics. Kari and Lee share their combined knowledge and talk about the options available to small to midsize companies that may not have the resources in-house necessary to respond to a data breach incident.
Watch Part 1 of our 3 Part Series on Data Breach Readiness follow:
The Video Transcript of Data Breach Response Experts Kari Rollins and Lee Neubecker Follows
Lee Neubecker (LN): Hi, I’m here today with Kari Rollins. She’s the co-managing partner of the New York office of Sheppard Mullins. Thanks for being on the show.
Kari Rollins (KR): Thank you for having me.
LN: And I had Kari, she’s a specialist in the whole area of privacy related litigation involving data breaches and personal information and what not. She’s also a member of the Sedona Conference. Could you tell everyone a little bit about what the Sedona Conference does?
KR: Sure, so the Working Group 11 is the Working Group that is dedicated to helping companies and other practitioners understand some of the hot topics and legal issues in data privacy and cybersecurity today that are rapidly evolving as the laws in that area change. And the Sedona Conference itself is dedicated to pulling together practitioners from private sector, public sector, judges, regulatory authorities who all come to talk about their experiences in these different specialized areas so that it you know, you have a knowledge base with a wide variety of perspectives.
LN: Great and so I asked you to come on to talk a little bit about the data breach incident response guide that the conference came up with. Can you tell us what this is about?
KR: Sure, so as a member of the Working Group 11, several of us at the request of Sedona Conference came together to put together what our views were on how to handle a data breach, or an incident response from the very beginning of the breach life cycle, i.e. planning for and anticipating a breach, through the breach investigation itself and even thinking about issues that may be implicated in a post-breach regulatory inquiry and how companies can best defend themselves and prepare for what is now today, the inevitable, a data incident.
LN: So this is a free resource available to anyone?
KR: It is a resource available to anyone. It’s really a practitioner’s guide. We think this is probably best used by small to midsize companies who may not have the resources or staff in-house, legal staff in-house dedicated to responding to incidents. And it’s, though it can be used by any practitioner, any counsel, any type of company, we do expect that this is probably something that would be useful to small to midsize companies as really a guideline and material to help them issue spot and understand what are the issues in incident response? What should I be concerned about? What are the pitfalls? What am I going to need to be on the lookout for?
LN: Great, and if people want more information about this or want to download the guide, where can they obtain it from?
LN: Great, so in our next segment, we’re going to be talking a little bit about what should be done before a data breach happens.
LN: And then in our third segment, we’ll talk a little bit about okay, the data breach happened or an incident happened, what do you need to do to respond? So watch those segments and tune in again. Thanks Kari for being on.
KR: Thank you.
View Related Articles here
More Information about Kari Rollins and Sheppard Mullin
Artificial Intelligence (AI) can be used to vastly improve the eDiscovery document review process. Zylab is one of several eDiscovery vendors offering solutions utilizing AI. Lee Neubecker, Computer Forensic Expert, and President & CEO of Enigma Forensics met with Jeffrey Wolff, Director of eDiscovery Solutions at ZyLAB during his visit to the Legal Tech Conference 2020 in New York. Lee and Jeffrey discuss how AI can be used to conduct more effective eDiscovery.
Artificial Intelligence (AI) technology is everywhere. It’s hard to imagine how it’s being used in the legal industry where legal libraries filled with law books and courts filled with black-robed judges reign. In this formal traditional world, AI is now providing smart solutions for today’s electronically stored information or ESI and is streamlining the way the Legal Industry works.
In this video, Lee Neubecker, Computer Forensic Expert, and President & CEO of Enigma Forensics met with Jeffrey Wolff, Director of eDiscovery Solutions at ZyLAB during his visit to the Legal Tech Conference in New York. Lee and Jeffrey analyze how Artificial Intelligence (AI) develops smarter solutions in the eDiscovery process. Jeffrey shares with Lee that ZyLAB’s mission is to provide automated full-text retrieval using AI, for both on-premise or cloud-based solutions.
Watch Part 1 of a Three-Part Series on Artificial Intelligence (AI) and eDiscovery.
The video transcript of AI Smarter Solutions: eDiscovery follows.
Lee Neubecker: Hi, I have Jeff Wolff, back on the show from ZyLAB. Jeff, thanks for coming back on.
Jeff Wolff: Thank you.
LN: He’s their Director of eDiscovery, and I wanted to ask him some questions as it related to what differentiates ZyLAB from other products out on the market. Some of my clients may want to use this type of artificial intelligence program to help get through their review and see what the results are of using AI verse the traditional e-discovery review process, so.
LN: Jeff, could you tell us what sets ZyLAB apart from other competitors in the marketplace.
JW: Sure, sure, so first, I think ZyLAB is uniquely positioned in the fact we understand the corporate space quite well, as well as the law firm space, but we got our start incorporate, or start in information governance. So we are very vested in search and data science, and that’s really where we’ve put a lot of our focus. We have both on-premise solutions, as well as cloud-based, SaaS solutions like every other next-gen provider. But we really push our interface, our user interface and our user experience, as one of the most unique selling points. And that is, that it is not difficult to start using. Anyone, any legal professional can pick up our product in an hour, from start to finish, and understand really how you utilize it. Drag and drop interfaces for getting data into the system, and immediate color-coding and tagging, easy search, and the ability to really visualize your data and understand what’s in the dataset.
LN: Okay. So, what would you say for a company that has to deal with multiple jurisdictions, they’re in Europe, they’re in the US. JW: Sure. LN: There are some unique challenges posed by all the various regulations out there, like GDPR.
LN: Maybe the have operations in China. How could you help a company that has to deal with various regulatory authorities spanning the globe?
JW: Sure, and that’s another advantage that ZyLAB has, actually, we’re actually a global company, so we’re dual-headquartered in Washington, D.C., here in the US, as well as Amsterdam in the Netherlands, in the EU. And as a result, we have cloud operations in both jurisdictions. So our global customers can actually keep US data in the US, and they can keep the European Union in the EU, and not worry about that issue. But we also have the expertise, consulting expertise, in both environments, both geographic locations. For example, I’m doing a lot of work now with corporations, not so much focused on directly just on e-discovery, because e-discovery is a bit reactive, you know? Or corporations go through peaks and valleys with e-discovery, the litigation, something they have it, sometimes they don’t. What they constantly have though, are internal investigations, regulatory responses, in the highly regulated corporations. And more and more now, data privacy concerns. So, my European colleagues have been dealing with GDPR for a while, we’re now starting to feel it here in the US, with CCPA, the California Consumer Privacy Act. And there are a number of states on the horizon that are going to California’s examples, so corporations need to be able to find, and classify all the data that they have in their organization that has customer information because if those customers request it and they can’t provide it, they’re financially in a lot of trouble.
LN: Do you think that the regulations coming down on companies are going to fundamentally change how companies chose to communicate with their vendors, suppliers, and own employees?
JW: Absolutely. If you look at all the recent data breach situations, it’s typically not the organization that has the problem, and I won’t mention any of the large companies that have recently had data breaches, but it’s typically not the original company that had the issue, it’s one of their suppliers, or one of their vendors that had accesses to the database, and wasn’t protecting it properly, and that’s how the trouble began.
JW: Same thing with data privacy.
LN: The supply chain certainly is a huge point of vulnerability for all types of organizations. The governments, the military,
LN: and even corporations.
LN: So what do you see happening over the next few years with the adoption of AI platforms?
JW: I think the e-discovery market is going to fundamentally change. There’s still always going to be a need for discovery within corporations and law firms, but what you do you with the data is going to become much more important, so it’s going to be about how you can extract value from the data, not just metadata, which we’ve always been able to do for years now, but now more about looking for entity information. People, places, organizations that are mentioned in documents and emails, and collaborative environments, and being able to visualize those, and quickly drill down to what was going on in your organization. You know, if you got people that are going to the dentist three times a week, they’re not doing to the dentist, they’re doing something else, They’re just writing about going to the dentist.
JW: Software like ours that can identify those references in documents are going to be crucial to the success of organizations.
LN: That’s great. So it seems that there’s continued e-discovery service provider consolidation out there.
LN: The companies that are using tools that are more of a channel partner tool to resell.
LN: But as those companies consolidate, do you think that there’s going to be a movement away from those providers where, the company, the firms, directly do their own e-discovery?
JW: Oh, yes. Yeah, very much so. We’ve been seeing that over the last few years. A lot of companies, even small companies that tend to have, in the past, just used outside vendors for e-discovery, are now deciding that they prefer to control, not just the cost, but also their data. They don’t want their data outside of the organization for reasons we’ve already talked about. So they’re purchasing in-house tools that they can use themselves, and then they can invite outside counsel in to make use of, that way they control their costs, they control the efficiency, and they control the data.
LN: Well, this has been great. Thanks a bunch for being on the show.
Lee Neubecker: Thank you again.
LN: Take care.
JW: Bye bye.
View related articles on Artificial Intelligence
View ZyLAB’s for more information on (AI) Smart Solutions: eDiscovery