More health, less stealth….

Emerging Access and Authentication Methods for Healthcare

Medical records are now, by and large, available in electronic form – in fact almost 8 in 10 of every physician uses EHR. Conveniently accessing them in a secure and compliant way is the challenge that everyone involved in the Healthcare industry faces. In 2015 the top three healthcare breaches resulted in over 100,000 million compromised records. While full disclosure of these attacks is not fully released, the key for criminals is often stolen credentials whether that be a user, administrator, or someone else with privileged system access. These attacks show bravado and hit the major headlines. Alongside the big hacks, there is a growing rash of small crimes at healthcare facilities like stolen medications, illicitly written prescriptions and theft of targeted individual health care records. For example, in a Cleveland Clinic, four nurses are being accused of stealing patient medications such as Oxycodone (a pain opioid sought after by drug addicts.)

Implementing strong access and authentication controls is the next step healthcare organizations must take to comply with the HIPAA and harden the attack surface from both sophisticated criminals and petty staffer criminal alike. Healthcare organizations are still standardizing on the right approach – let’s take a closer look at some of the technologies that are currently in use and explore them from a security and hackers perspective.

RFID (Radio Frequency Identification)

You may have one and not even know it. RFID technologies make up the majority of the market, most white access badges that you swipe to gain access to a door or potentially a computer have sophisticated micro circuitry built in.  Some of the amazing things that you might not know about RFID are:

  • There is no battery! The circuitry is powered by the energy it receives from the antenna when it is near a card reader.
  • Some RFID chips can contain up to 1K of data, that doesn’t sound like a lot but that is enough to hold your name, address, social security number and perhaps your last transaction.
  • RFID chips can be so small they may be imperceptible, Hitachi has a chip that is 15 x 0.15 millimeters in size and 7.5 micrometers thick. That is thinner and smaller than a human hair.

The good news for security professionals at healthcare organizations is there are many choices and uses for RFID technology.  Cards and readers purchased in mass quantities drive the price down and provide a homogeneous system that may be easy to administer as it becomes part of the onboarding and provisioning process. In addition to door access for staff, RFID cards can be given to patients on check in so that they have another form of identification. The bad news is that hackers are after consistent well-documented systems and they like hacking esoteric data transmissions like the ones that RFIDs use.  Using inexpensive parts that are on my workbench like an Arduino Microcontroller, a criminal could create a system to capture the transmission and essentially clone the data on a card then pose as an insider.

BioMetrics

There seem to be an ever-growing array of BioMetric devices like vein readers, heartbeat, iris readers, facial recognition and fingerprint readers.  When implemented properly a live biometric, that is a biometric device that samples both unique physical characteristic and liveliness (pulse for example) is almost always a positive match, in fact, fingerprint reading is used at border control in the US and other countries.   There are hacking demonstrations with molded gummy worm fingers, scotch tape finger lifts and even the supposed cutting off a finger.  Those attacks are on the far end of a practical hack as it is not repeatable or easy for a criminal.  The hurdles that biometrics face are:

  • Near 100% Match – This is a good news as we truly want valid users however skin abrasions, irregular vital signs, and aging are just some factors that make the current set of bio-metrics sometimes create false positives.
  • Processing Time – There are several steps to the fingerprint and biometric authentication process. Reading, evaluating the match then validating with an authentication service can take up to a second.  The process is not instantaneous – I can enter my password faster on my iPhone than I can get a positive fingerprint match.  Doctors and nurses patients simply don’t have the seconds to spare.
  • Convenience – Taking off gloves, staring at a face or retinal reader is simply not an option when staff is serving potentially hundreds of patients a day.

As the technology and processing improve, I think we will see a resurgence in BioMetric in healthcare but for now my local clinic has decommissioned the vein reader.

Bluetooth

Bluetooth technology is becoming ubiquitous. It is being built into almost all devices – some estimate that it will 90% of mobile devices by 2018.  Bluetooth is still emerging in the healthcare market which is dominated by RFID, however, there are advantages to Bluetooth over RFID cards:

  • Contactless – Bluetooth low energy relies on proximity rather than on physical contact.  While this might not seem like a huge advantage in a high traffic critical situation such as an emergency room, seconds count.  In addition, systems that require contact such as a card swipe or tap require maintenance to clean the contact.
  • BYOD Cost – For smaller clinics and organizations that are cost conscious using employee devices as a method of authentication may be the way to go as they will not incur the expense and management of cards and proprietary readers.  In fact, a Bluetooth reader can be purchased for as low as little as $4 compared with $100 card readers.
  • BYOD Convenience – Many organizations recognize an added convenience factor in using their employee, partners and customers mobile devices as a method of authentication.  Individuals are comfortable and interested in using their phones as access devices.  Administrators can quickly change access controls just-in-time for access to different applications, workstations and physical locations rather than have to restripe cards.

On the hacker side, Bluetooth signals just like RFID can be cloned however combined with OTP (One Time Password) for another layer of authentication criminals could be thwarted.

I contacted Jim Gerkin Identity Director from NovaCoast and he mentioned that we may see an uptick in small and mid-sized clinics using authentication devices in 2017.  They are looking for cost effective and open standard systems based on FIDO standards.  Bluetooth has the potential to meet requirements from a cost and security perspective again if OTP is used in conjunction.

The good news is that Micro Focus’s Advanced Authentication works with multiple types of authentication methods whether it be legacy systems, RFID, BioMetric and now Bluetooth.  In addition Micro Focus is part of the FIDO alliance which ensures a standardized approach.   I look forward to evaluating emerging authentication technologies in 2017 that may use DNA, speech recognition and other Nano-technology – watch this space!

Cyber Monday

Big retailers have been planning ahead for up to 18 months for their share of approximately 2.6 billion dollars of revenue. Cyber Monday started in 2005 by Shop.org has become one of the biggest online traffic days of the year, Simon Puleo takes a look at the list of how some of our biggest customers have prepared.

‘Twas the night before Cyber Monday and all through the house

everyone was using touchscreens gone was the mouse.

While consumers checked their wish lists with care

in hopes that great savings soon would be there.

The children were watching screens in their beds

while visions of Pikachu danced in their heads.

And Mamma in her robe and I in my Cub’s hat

reviewed our bank accounts and decided that was that!’

Cyber Monday started in 2005 by Shop.org has become one of the biggest online traffic days of the year.  Black Friday may have started as early as 1951 and between the two shopping holidays generate over $70 BN!  Let’s take a look at the list of how some of our biggest customers have prepared:

1.)    Performance testing.  Did you know that our customers typically start performance testing for cyber-Monday in February, why would they start so early?  Customers are testing more than just peak load, they are testing that sites will render correctly across multiple configurations, bandwidths, devices, and sometimes in multiple regions of the world.  The goals of ecommerce is to enable as many shoppers as possible that includes my Dad on his iPad 2 on a rural carrier and my daughter on her Chromebook in an urban area.   Multiply that by thousands of users and you can see that unfortunately, retailers can’t hire enough of my relatives to help them out. What they do is use a combination of synthetic monitors and virtual users to simulate and assess how a website will perform when 10,000 of users are shopping at the same time.

BlackMon1

2.)    New Feature Testing.  Whether you consciously think about it or not you expect and gravitate towards websites that have the latest feature set and best user experience.  What does that mean?  Listing a photo and description is bare bones the best commerce websites not only have reviews, videos, links to social media and wish lists they may actually be responsive to your shopping habits, regional weather and personal interests.  They use big data sets to preclude what you are browsing for and offer you targeted deals too good to pass up!  While that is exciting, it also means that the complexity of code both rendering the browser and behind the scenes has grown exponentially over the years.  Ensuring that new features perform and old code works with legacy systems as well renders correctly over multiple devices is what functional and regression testing is all about.  While a team of testers may track multiple code changes they lean towards automation to ensure that code works on target configurations.

3.)    Offering Federated Access Management What? you’re thinking, user-login was solved ages ago. For sophisticated online retailers using Facebook, Google, Yahoo!, Twitter, LinkedIn or other credentials to gain access is first a method to gain trust, second opens up the potential opportunity for more customers and finally a road to valuable personal data.  Regardless of which advantage a retailer may prioritize developing the ability to enable millions of Facebook users to easily login and check-out with a credit-card equates to new customers and a leg up over legacy competitors.  And, for added amount of trust and security retailers can couple multi-factor authentication at key points of the conversion process.   Simple user login and password for each shopping site is quickly becoming a relic of the past as users opt for convenience over management of many user names and passwords.

BlackMon2

These are some of the top methods and solutions that big retailers have implemented for 2016.  The best online commerce professionals know what they are up against and what is at stake for example:

  • In 2014 there were over 18,000 different Android devices on the market according to OpenSignal, that is an overwhelming amount of devices to ensure.
  • At a minimum retailers lose $5600 per minute their websites are down
  • The market is huge a recent estimate put the global amount of digital buyers at 1.6 Billion, that is nearly 1/5 of the world’s population.  Converting even .1% of that number is 160,000 users!
  • Users are fickle and will leave a website if delayed just a few seconds
  • Last year Cyber Monday accounted for $3 billion in revenue, this year we expect even more!

Retailers like Mueller in Germany realize that no “downtime” is critical to keeping both the online and virtual shelving stocked.  Their holistic approach to managing software testing and performance helps them implement new features while keeping existing systems up and running.   It is never too late to get started for this year or preparing for next, consider how Micro Focus has helped major US and European Online Retailers with performance testing, automated functional and regression testing, access management and advanced authentication.

Geo-fencing: securing authentication?

Micro Focus is leading the industry in geo-fencing and Advanced Authentication with it’s NetIQ portfolio. Simon Puleo looks at this fascinating new area and suggests some potential and very practical uses for this technology in his latest blog

Are you are one of the 500 million users who recently had their account details stolen from Yahoo?

Chances are that criminals will use them for credential stuffing – using automation to try different combinations of passwords and usernames at multiple sites to login to your accounts.

So you’re probably thinking the same as me – that a single username and password is no longer sufficient protection from malicious log-in, especially when recycled on multiple sites.

DeYahoo1

Is your identity on the line?

Indeed, 75% of respondents to a September 2016 Ponemon study agreed that “single-factor authentication no longer effectively protects unauthorized access to information.”

Biometric authentication is one solution and is already a feature of newer iPhones. However, skimmers and shimmers are already seeking to undermine even this.

Perhaps geo-fencing, the emerging alternative, can address the balancing act between user experience and security? It provides effective authentication and can be easily deployed for users with a GPS device. Let’s take a closer look at what this technology is, and how it can be used.

What is geo-fencing?

Geo-fencing enables software administrators to define geographical boundaries. They draw a shape around the perimeter of a building or area where they want to enforce a virtual barrier.  It is really that easy. The administrator decides who can access what within that barrier, based on GPS coordinates. In the example below, an admin has set a policy that only state employees with a GPS can access systems within the Capitol Building.

cap

Let’s dive deeper, and differentiate between geo-location and geo-fencing. Because geo-location uses your IP it can be easily spoofed or fooled, and is not geographically accurate. However geo-fencing is based on GPS coordinates from satellites tracking latitude and longitude.

While GPS can be spoofed it requires loads of expensive scientific equipment and certain features to validate the signal. Using geo-coordinates enables new sets of policies and controls to ensure security and enforce seamless verification, keeping it easy for the user to log-in and hard for the criminal to break in. Consider the below example:

Security Policy: Users must logout when leaving their work area.

Real-world scenario: Let’s go and get a coffee right now. Ever drop what you are doing, leaving your PC unlocked and vulnerable to insider attacks? Sure you have.

Control: Based on a geo-fence as small as five feet, users could be logged out when they leave their cube with a geo device, then logged back in when they return. It’s a perfect combination of convenience, caffeine and security.

Patient safety, IT security 

This scenario may sound incredible, but Troy Drewry, a Micro Focus Product Manager, explains that it is not that far-fetched. Troy shared his excitement for the topic – and a number of geo based authentication projects he is involved in – with me. One effort is enabling doctors and medical staff to login and logout of workstations simply by their physical location. This could help save valuable time in time-critical ER situations while still enforcing HIPAA policies.

Another project is working with an innovative bank that is researching using geo-fencing around ATMs to provide another factor of validation.  In this scenario, geo-fencing could have the advantage of PIN-less transactions, circumventing skimmers.

As he explained to me, “What is interesting to me is that with geo-fencing and user location as a factor of authentication, it means that security and convenience are less at odds.” I couldn’t agree more. Pressing the button on my hard token to login to my bank accounts seems almost anachronistic; geo-fencing is charting a new route for authentication.

Micro Focus is leading the industry in geo-fencing and Advanced Authentication. To learn more, speak with one of our specialists or click here.

 

Feelin’ Locky, Punk?

Ransomware, malware that locks away your data until you pay to get it back, is spreading like a rash and affects both businesses and consumers. Simon Puleo lifts the lid on Locky and delivers some timely advice.

What is Ransomware?

Ransomware, malware that locks away your data until you pay to get it back, is spreading like a rash and affects both businesses and consumers.  The FBI has identified that ransomware is on the rise, affecting not only PCs but smartphones as well.  The Verizon 2016 Data Breach Investigations Report listed Ransonmware in it’s number two spot for Crimeware, and realized the biggest jump in reported attacks.  While first seen as a semi-sophisticated crime against hospitals and financial institutions, this nefarious crime is quickly becoming commonplace in all types of organizations and at targeted individuals. 

“Why is Ransomware new?” an IT Manager asked me, “isn’t this just a throwback to other malware schemes?” 

I replied with one word, “Bitcoin.”

While ransomware has been around for a while, it’s becoming more prevalent because Bitcoin (BTC) has made it easier than ever for the bad guys to get paid. Because it is anonymous, Bitcoin enables the criminal to receive his or her payment without the scrutiny of law enforcement, the government, or Visa or MasterCard for that matter.   In short, criminals use BTC as another tool to receive funds without easily being tracked.

Bitcoin started showing financial traction back in 2013 and not coincidentally, that is around the same time that the CryptoLocker virus started asking for payment in that manner.

As of May 3,2016, one of the latest ransomware creations is called Locky which Microsoft regards a “severe threat.”

locky

Locky

While “Locky” sounds like a cute character from one of the shows my kids watch on TV, it will cause more pain and headache then a teething toddler. After it is downloaded, Locky encrypts all of your files including photos, documents and videos using AES strong encryption (the type of encryption the FBI uses). When it’s done, it pops up a screen demanding payment in Bitcoin in return for the encryption key to unencrypt and retrieve your data.

Obviously no one is going to download and run ransomware on purpose, are they? You might be surprised. The criminals behind Locky get you to download and run it yourself by sending it to you in a phishing email. The targeted user is part of a social engineering  scheme, the criminals are on the hunt for users in accounting who often receive invoices from vendors.  The user:

  1. Receives an email with an invoice attached asking for review.
  2. The invoice emails are socially engineered addressed to the company and asking for payment.
  3. The curios user launches the attached Word document, and is prompted to “Run Macros”
  4. A set of malicious executables is installed on the target machine that will begin to encrypt data.

And Locky won’t just attack your local files, it will attempt to encrypt all network and storage devices too! When it’s done, you may see a screen like the below:

screenshot

Protecting your organization

Antivirus tools provide a measure of protection by identifying harmful macros, however motivated hackers will find a way past antivirus. But you can take destiny into your own hands by following the below best practices:

Awareness is the place to start. Educate your users about Ransomware and cyber security best practices.   Start a campaign to ensure that all users are aware of the dangers of phishing and how to avoid being a victim. Several companies make software that sends simulated phishing messages, tracks responses, and trains users how to not be fooled by them.

Take control and monitor user access and change with Micro Focus Sentinel and Change Guardian.  These solutions help security teams quickly identify threats before they cause damage with real-time integrity monitoring and analysis of security events as they occur. Rapidly spot file changes and new extensions like .locky that are out of the ordinary and take action with intelligence.

Enforce least privilege for your most sensitive data and systems.  Micro Focus Privileged Identity Management solutions ensure the right users have access to the right systems at the right times.  Trojans and malware like Locky typically need elevated rights to execute, you can stop them by simply not letting them start.  Protect the integrity of your critical systems by limiting use and monitoring who has access to what files during designated time periods.

Finally ensure you have a disaster recovery plan in place which includes keeping offline copies of critical data in both physical and virtual environments.   Micro Focus PlateSpin technology offers solutions that can quickly restore workloads to their original location or to a new location while the original is being repaired.

Put the right measures in place to create awareness, monitor user activity, enforce least privilege and create a disaster recovery plan.  Be vigilant and use great technology to protect you and your organization.

Insider Threat: A New Perspective

How can IT security managers reduce the risk of the insider threat? Simon Puleo makes an interesting case in this great new blog.

Did you ever think that the person sitting next to you could be considered an insider threat to your organization?  It is hard to believe the malicious activity could be so close to home, however when you consider that hackers use social profiles to target users with elevated privilege to systems or data it raises an eyebrow.   According to a 2015 Black Hat Survey 45% of hackers say that privileged account credentials are their most coveted target.   Hackers are looking to take advantage of the insider and exploiting those privileges because these insiders have access to the most sensitive and lucrative data.  Secondarily, the insider or person you have coffee with maybe involved in espionage (spying), data destruction and data theft.

How does this lend to a new perspective?  Most of the time when I discuss cyber criminals they fall into these broad categories:

  • Organized Crime -Much like Al Capone ran an organized crime syndicate with the purpose of profiting from smuggled alcohol.  The twenty first century organized crime profits from stolen and smuggled credit cards, holding systems hostage and stolen IP.  Extortion, fraud and theft are their calling cards.
  • Hactivists – Those exploiting the internet and stealing secrets for social causes, think of Anonymous.
  • Nation State – Secret groups in governments all over the worlds designed to spy, steal government and private intellectual property.
  • The Black Hat – The renegade hacker or individuals who hack for fun or simply to spread chaos.

Insider Threat

But, the insider could be you or me, it is anyone with access to systems or data.  The insider is the careless user who shares a password or leaves their computer unlocked.  The insider is the unknowing pawn to the criminal hacker installing malware and viruses as the result of a social engineering or spear-fishing attack.  The insider is the person who uses their access for malicious activities, perhaps they are part of an organized crime ring, a disgruntled employee or mentally unstable person.  Regardless, the goal of the cyber-criminal whether on or off premise is to obtain the ‘keys to the kingdom’ that is access to files, systems and data.

Up until recently the most proactive measures to stop the insider were education campaigns targeted at good security practices, security policy and anti-virus tools.  These measures are not enough and traditional solutions like IDS, IPS and firewalls are focused on the perimeter, not on the insider who is a user and consumer of data. So what approach can we take from an IT perspective to be proactive from the insider threat?

Enforce the concept of ‘least privilege’, in simpler terms, ensure that users, and especially privileged users, have access to only the files and systems that they need to effectively do their jobs.  The receptionist needs a different set of access to systems than the accountant.  This could go as far as only giving them access during the right times as well.  Consider, does a receptionist need access to the directory after business hours?

IAS 3

Manage access to systems and files in a way that ensures the identity of every user.  How can we ensure the right users are accessing systems and how can we prove who they say they are? Is a user name and password enough assurance for access to transactional data? Multi-factor authentication is the best way using something that a user knows like a password, something they have like a token and something about them physically like a fingerprint or facial scan.  This may sound futuristic but when information is valuable more organizations are turning to multiple types of verification.

And finally we need to monitor what users are doing in real-time to ensure they aren’t accidently or maliciously changing and/or deleting data.  When suspicious behavior is found, tools are needed to quickly find out who is performing an activity, and what is happening, so that security teams can quickly take action to minimize damage from potential threats.  When especially high risk user activity is detected, access to sensitive systems can be automatically revoked.

How can you reduce the risk of the insider threat?  Start with ‘least privilege’, restrict access to sensitive data to only those with need.  Develop controls and policies to ensure users have the right privileges, challenge users when accessing sensitive data and monitor malicious behavior, lead with an Identity-Powered Security approach.  To learn more about the insider and privileged users download the flashpoint paper Privileged Users: Managing Hidden Risk in Your Organization