29 Oct

5 Min read

Death Due to Cyber Attack Has to be a Wake-up Call

October 29, 2020 Nok Nok News 0 comments

A tragic milestone has been crossed this year. While, yes, the tragedies do seem to be manifold – one tragedy in particular stands out in our field. The first death linked directly to a cyber attack.

Earlier this year, in Dusseldorf, Germany – not three hours from my home – a ransomware attack crippled a hospital’s systems, requiring all ambulances to be rerouted to other emergency rooms. One ambulance, however, did show up at the targeted hospital with a patient in critical condition. The patient did not survive the rerouting to an alternative facility.

This is tragic. Threats in the digital world have made the jump to the physical. The threat to people is no longer theoretical or about personal inconvenience. They are no longer about a simple rejection of a fraudulent payment. Unfortunately, the threats seem to be multiplying.

Since the beginning of the COVID-19 pandemic, online crimes have roughly quadrupled.While hospital in Dusseldorf may not have been the the intended target, hospitals are quite vulnerable. In 2019, it was reported that 84% of hospitals didn’t have a full-time cybersecurity employee. The same report noted that, between 2016 and 2018, one-third of hospital executives purchased cybersecurity tools “blindly without much vision or discernment.” Meanwhile, healthcare organizations spend more than all other sectors on data breach recovery.

It is a mixed blessing, then, that internet-connected devices – the internet-of-things (or IoT) – have been a boon to the healthcare industry. Doctors and employees use smartphones, tablets, laptops and digital assistants already. There is growing connectivity among diagnostic and imaging equipment, surgical robots, wearables, intelligent equipment and countless wireless sensors. There are bluetooth enabled weight scales and blood pressure cuffs that track symptoms for cancer patients. There are glucose monitors that improve the quality of life for diabetics. Apple’s ResearchKit simplifies the daily diary process for those who suffer from Parkinson’s Disease – helping both the patient and providing valuable data to assist in research. Even your smart refrigerator could send relevant data back to your doctor about your diet.

All of these innovations have been a net-benefit for the quality of healthcare that we receive. Alan Mihalic, president and founder of the IoT Security Institute, has noted that “with all this data, can look at how to improve their service and lower the cost to deliver that service. But moreover, it’s a question of moving from a reactive to a proactive healthcare model.”

With all of these new devices, coming from different manufacturers, installed and run by smart medical professionals who may or may not have IT security experience – it’s no wonder that the hospital’s attack surface has grown immeasurably in the last few years. 92% of the purchasing decisions regarding data security between 2017 and 2019 were made at the C-level and didn’t include the affected department managers nor the users that would be impacted by such decisions. Across the industry, there is almost no reliance on secure authentication – after all, the urgent nature of hospitals require a system that provides relevant information to an emergency room doctor on demand. Additionally, hospitals are notoriously plagued by budget constraints. Replacing or upgrading legacy software tends to come with a price tag leading to outrageous statistics like: 56% of healthcare providers still use Windows 7! What money there is for IT is usually not earmarked for security. 90% of institutions report that their security budgets have remained level or decreased since 2016.

But what can be done about it? It is vital to be aware of current best practices.

In 2019, the National Institute of Technology Standards (NIST) published a report, NISTIR 8828, detailing “Considerations for Managing Internet of Things Cybersecurity and Privacy Risks”. In it they highlight three high-level methods of mitigation. Simply put, they are:

Protect device security.
Protect data security.
Protect individuals’ privacy.

Those responsible for outfitting and managing a hospitals IT infrastructure need to be thoughtful about the way in which they incorporate connected devices. Mitigating cyber risk is crucial for any industry, but there is no room for error in healthcare. The rapid shift this year to remote work has opened a significant number of vulnerabilities for hackers to exploit. Unfortunately, fixing vulnerabilities is much more difficult than it sounds, especially for an always-on operation like a hospital.

But it is possible to start at the beginning. Authentication – the process by which we gain privileged access to devices and records – that can be secure, frictionless, interoperable with other devices and based on industry tried-and-tested standards can begin to close the gap in these vulnerabilities. Unfortunately, it would require challenging the status quo – a status quo that carries with it significant inertia.

But, with human lives at stake, it is clearer than ever that the status quo is not good enough and needs to be challenged.

As this is cybersecurity awareness month, let us all take a moment to consider our underlying assumptions and where we might be able to improve them. IoT devices in healthcare can provide significant improvements in how patients are treated and how research is done. But it needs to be protected and “good enough” security of the past is simply not good enough anymore. At least, it wasn’t for that patient in Dusseldorf.

17 Oct

6 Min read

The Secure Perimeter is Gone

October 17, 2020 Nok Nok News 0 comments

We have an opportunity. This year has radically accelerated a fundamental shift that has been going on for quite some time. A core component of our security architecture has been eliminated.
The “secure perimeter” – an antiquated concept from the days when computers took up an entire room – has all but vanished. “Security”, in those days, was defined by who could physically enter the room. Logical and physical security was centralized. When workstations became commonplace, the secure perimeter was built around the end-point. Every evolution of computing technology has tried to recreate the physical perimeter in one way or another. But the reliance on “end-point mentality” is fundamentally flawed. After all, end-points can be mimicked, spoofed, and intercepted. As long as we have tried to reinforce this antiquated model, we have missed the mark. The perimeter has continued to vanish over time.

More and more devices have been deployed, which has created more and more complexity. At the same time, we continue to see more and more data breaches, more and more lost data, more customer confusion, more regulation, more friction and more problems — all of these issues can be traced to the breakdown of the “secure perimeter”.

Genius has been deployed in inventing and distributing computers whose capabilities vastly outstrip the greatest dreams of our predecessors. But just as the internal components of these computers have evolved with the times, so too do the components of our security architecture need an evolution. Not only has the concept of the “secure perimeter” failed consistently, the concept itself limits what we can do with these new devices if we think differently about them.

In 1997, Steve Jobs challenged us to “Think Different” – we now have the opportunity to think big, think new, think different about how we solve for the vanished perimeter.

2020 is the year that everything changed. Over the last 30 years, there has been a slow, cultural shift breaking down the fortifications of the secure perimeter. Telecommuting, work-from-home, “Bring-Your-Own-Device” and other movements have slowly been eroding the cornerstones of these fortifications. However, while we have had the capability to be a fully remote workforce, it wasn’t until the COVID-19 lockdown started in March that the movement became a stampede, which became an avalanche, which rolled over our concept of a secure perimeter and forced us to reconsider this outmoded concept.

This is a catalyzing moment. One that we can take advantage of to not only fix faulty assumptions, but augment our architecture in such a way as to provide access that our customers, partners and employees never imagined. After all, could you imagine what the world would be like without walls? Imagine feeling safe, secure, protected without needing a fortification.

As a business executive who was part of the first National Cybersecurity Awareness Month, I will grant that this concept seems terrifying. I share the responsibilities many of you have. I share the responsibility to protect customer data, to guard partner resources, I absolutely need to guard our intellectual property, to ensure that we retain our competitive edge, generating revenue and providing for my employees’ livelihoods. There are regulatory and industry considerations that I, like you, need to take into account. We are all governed by a complex set of risk signals including customer satisfaction, employee needs and more. Doing something “new and visionary” may make for a good sound bite, but sometimes the inertia of the status quo leads to fear-based decisions.

Many fear-based decisions can lead you down the wrong path and eliminate opportun paths and options.

When I had the privilege of running PGP, we had a discussion with a major bank. We were talking about encryption and – at the time – encryption was very siloed. At a meeting involving security architects and Line of Business owners, one of my architects asked, “How would your business be different if all of your data was encrypted automatically?”

The Line of Business people said, “Well, that’s preposterous. That’s too hard to do. There are system level changes… and… and… and…”

The bank’s security architect chimed in, “No. We never started with that to begin with. That would dramatically change how we did our business.”

The architecture guys could see that, if they encrypted everything, they could do things more fluidly, with less overhead, less friction. But the Line of Business team didn’t realize the potential and there ensued a disagreement around the table.

There is an effect that status quo inertia has on business.

That was a seminal moment for me. I saw the rut. I saw the effect that status quo inertia could have on business decisions.

As the head of Nok Nok, as someone who was part of the group that proposed what is now the FIDO standard – the standard that was designed from the very beginning to eliminate phishing and account take-over, to eliminate credential stuffing and reduce your attack vectors – as a person who was involved in that, I have seen the same arguments enter this discussion where the people around the table want to solve the problem incrementally and not holistically. Because of that, arguments over budgets, over roles and responsibilities, over a variety of things end up stalling or eliminating changes that could be beneficial.

There are industry groups that realize that, as much as we have advanced technologies from the days of the mainframe, we have also introduced tremendous risk. This is the 17th year we have emphasized awareness of cybersecurity. But we are still talking about “secure perimeters”. We are still talking about things that are 50, 60 years old. I do not suggest that we wipe the slate clean. I do suggest that we stop solving these problems incrementally, that we start solving them holistically.

We need to think different. We need to think holistic.

In the end, we really just have people and devices walking around looking for services. This pandemic has caused a massive explosion in that behavior. People were used to coming and getting services from an office or a building – that entire paradigm has had to be re-thought. While we are re-thinking that, why don’t we take some of the good parts that do work and take some new things, new ideas about what could work and make a better future.

08 Oct

4 Min read

Cybersecurity is a Personal Responsibility

October 8, 2020 Nok Nok News 0 comments

This month is National Cybersecurity Awareness Month. Let me be blunt. If you don’t think you are responsible for cybersecurity – you are wrong.

Think about the footsteps you leave in the digital sand, your digital persona, information that you would consider private, valuable and vital. Now, think about how those bits and bytes of data can be used against you, can be taken from you and put to serve nefarious purposes. This is not a science fiction dystopia – this is our world.

To illustrate, let me paint a picture. You have a doctor’s appointment. You show up to the office and check-in on your smartphone, confirming your identity, the time of the appointment and the ailment for which you are being seen. You sit down and – while waiting – you open up your social media platform of choice to pass the time.

Your social media profile lists your friends, their birthdays, the things you like, your political preferences and on and on and on.

While browsing, an ad is presented for something you’re interested in. This ad was served up based on your interests, browsing history and ads that you have clicked on in the past. As such, you are very interested in what is being offered, but you aren’t sure if you can afford it. So before you buy, you open up your banking application to check your balance.

The banking app shows you your current balance in your checking account, your savings account, how much you owe on your credit cards, a long list of recent transactions, where and for how much they were for. You see you have enough for the purchase, flip back over to the advertisement and buy the product. You get called into the office for the doctor and a few days later, your package arrives at your door.

Simple, right? Amazing. It’s the miracle of the modern age.

Now, imagine going through all of that – but rather than it taking place on the privacy of your own screen, it is over the phone and the phone is on speaker. Your ailment is announced to the waiting room. As are the names of all of your friends and your political preferences. Your interests – both private and public – are announced and the things that you want to buy become public knowledge. Your bank account, recent purchases, credit card number and debt are also provided to anyone within the sound of your voice.

Without encryption, without security, without paying attention to the way in which your data is hoovered up, collected and distributed – any passing person who speaks binary can steal, copy, exploit and change your personal information.

That is why this month is important. Your data is YOUR data. It is vital that you are aware of how to protect it. If you have a device that connects – it needs to be protected and YOU are the one responsible for making sure that happens.

This month we look forward to having unfiltered conversations about cybersecurity. We will post our thoughts on how the pandemic has changed the concept of secure perimeter-based security, how the proliferation of small devices connecting to the greater web – as valuable as they are – has increased the attack vectors that we need to monitor and where we all may be headed in the future.

We invite you to join us in this discussion. But even if you don’t, we compel you to remember: The most important person responsible for your cyber security is you. Take that responsibility seriously.

Contact Us

Latest Posts

Navigation

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Death Due to Cyber Attack Has to be a Wake-up Call

The Secure Perimeter is Gone

Cybersecurity is a Personal Responsibility

Contact Us

Contact and Subscribe

Latest Posts

Navigation

Please complete this form to view and download this resource.

Submit to Download Forms

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.

Please complete this form to view and download this resource.