Currently health care providers are being targeted for attacks. One of the latest victims is Virginia Health Professionals. This incident only highlights the under lying problem in health care security, where providers are often operating under a false sense of security. In our research the premise is consistent, "I have a firewall and anti-virus, so we are covered."
Most of the attack mitigation sites that Network Strategies has been involved in for the last 3 years were sites with firewall and anti-virus. Several times anti-virus packages as popular as Symantec had been infiltrated, without any ones knowledge. In many cases, anti-virus updates systems or operating system update systems were actually being used to spread malware.
By far the biggest hole in network security is blind trust in one or two security measures. A second is that security counter measures are often deployed then forgotten. Best Practice in Network Security requires a layered plan that is consistently monitored and maintained.
1) Are Service Packs and Service Releases up-to-date? Are you certain of it?
2) Are any update services (anti-virus and operating system) compromised and reporting falsely that the system is up-to-date?
3) Are you able to detect anomalies outside of your anti-virus and firewalls?
4) Are you able to detect when network conditions change suspiciously?
- Network Performance De gradates
- All workstations started accessing a known malware site at the same time
- Workstations that only use web browsers start sending files to FTP servers
- Servers or workstations suddenly have new services or users on them
5) Do you have accountability for systems that touch health care information?
- Network Devices
- Databases
- File Storage
The age of script kiddie is past. A new age has dawned where the bad guys have the upper hand. They have more resources than their victims. This makes it vital to layer security and to consistently double check it. It is important to keep in mind that many bad guys also buy that Symantec (insert popular anti-virus here) anti-virus or that Cisco (insert popular firewall name here) firewall. But instead of using it to protect their networks they are reverse engineering them to improve the stealth and effectiveness of their attacks.
One recent article in a popular trade rag spelled it out plainly. Bad guys get paid based on the same criteria that should be used in defending networks known as CIA, Confidentiality, Integrity, Reliability. Their systems must be reliable to maximize profits and the integrity of their data should be maintained to maximize profit. These means they need to deploy large amounts of malware. That malware must be reliable. That malware must be invisible.
Wednesday, May 6, 2009
Friday, May 1, 2009
Vulnerability Windows Are Increasing
"Companies are only marginally better at quickly plugging security holes, while exploit writers typically produce attacks within days" - SecurityFocus.com
I found this article pretty interesting because it dealt with an issue not often talked about. Most of the time we see or hear about a vulnerability in an application and how it then takes the manufacturer days if not months to actually release a patch to fix it. This is of course bad news for organizations that simply rely on anti-virus alone to help reduce the risk window while they wait for an update or patch.
The article cited above actually raises another issue of organizations, for any number of reasons, that know they have vulnerabilities but take way too long to actually patch the systems, if even at all. According to the article, most industries are averaging around 30 days after a patch is released to then actually patch thier systems. This actually means that the vulnerability window can be as long as 2 months or more from time of discovery to patch release to patch implementation. Layering the security defenses of these systems is the best approach and goes a long way in helping reduce the risk while waiting on the patch management process to take place.
I found this article pretty interesting because it dealt with an issue not often talked about. Most of the time we see or hear about a vulnerability in an application and how it then takes the manufacturer days if not months to actually release a patch to fix it. This is of course bad news for organizations that simply rely on anti-virus alone to help reduce the risk window while they wait for an update or patch.
The article cited above actually raises another issue of organizations, for any number of reasons, that know they have vulnerabilities but take way too long to actually patch the systems, if even at all. According to the article, most industries are averaging around 30 days after a patch is released to then actually patch thier systems. This actually means that the vulnerability window can be as long as 2 months or more from time of discovery to patch release to patch implementation. Layering the security defenses of these systems is the best approach and goes a long way in helping reduce the risk while waiting on the patch management process to take place.
Thursday, April 9, 2009
The Many Facebook Attacks
It should be no surprise that social networking is a prime target for security attacks. Sites like Facebook can pave the way for attacks. A few of the attacks as per PCTools (www.pctools.com)
1. Koobface (social networking worm). It gains access to Facebook profile pages and directs you to view a video that then encourages you to update your Flash player. Malicious files such as flash_update.exe and bloivar29.exe are being downloaded and installed which results in a range of visible problems, including modifications to your Facebook profile, with the immediate result being an error message to contact support. There is also the very real potential for your identity and finances to be compromised!
2. Picture files carrying malware are "planted" on social networking websites and instant messaging programs. Hackers try to convince you that your friend has sent you a message or IM to view pictures. Legitimate looking URL when clicked on sends you to an illegitimate website hosting malicious files and executables, which have been modified to appear to be genuine picture files (jpg, gif or bmp). When you download and open those "pictures"; the malware unknowingly runs on your computer. It allows hacker to take control over your operating system as well as the information in it and exposes you to identity fraud and financial loss!
3. UPS Delivery Threat, also known as Zbot. It delivers an illegitimate file when you are visiting a counterfeit UPS delivery site. Zbot has been known to distribute via email phishing and instant messenger. Upon informing you that you have missed a UPS delivery, the message urges you to view the invoice online, which in fact sends you to the counterfeit website which downloads a malicious program designed to bypass the firewall and then steal banking and personal information.
With many health care professionals using programs like facebook, security for social networking is mandatory.
Needless to say that anti-virus and anti-spyware is important. Many of these products slow down machine performance, so for our spyware we have been relying on Webroot's SAAS product. Aside from being small and having a low impact on machine performance, it can also keep up with new malware sites at a faster rate than just about any other technology.
1. Koobface (social networking worm). It gains access to Facebook profile pages and directs you to view a video that then encourages you to update your Flash player. Malicious files such as flash_update.exe and bloivar29.exe are being downloaded and installed which results in a range of visible problems, including modifications to your Facebook profile, with the immediate result being an error message to contact support. There is also the very real potential for your identity and finances to be compromised!
2. Picture files carrying malware are "planted" on social networking websites and instant messaging programs. Hackers try to convince you that your friend has sent you a message or IM to view pictures. Legitimate looking URL when clicked on sends you to an illegitimate website hosting malicious files and executables, which have been modified to appear to be genuine picture files (jpg, gif or bmp). When you download and open those "pictures"; the malware unknowingly runs on your computer. It allows hacker to take control over your operating system as well as the information in it and exposes you to identity fraud and financial loss!
3. UPS Delivery Threat, also known as Zbot. It delivers an illegitimate file when you are visiting a counterfeit UPS delivery site. Zbot has been known to distribute via email phishing and instant messenger. Upon informing you that you have missed a UPS delivery, the message urges you to view the invoice online, which in fact sends you to the counterfeit website which downloads a malicious program designed to bypass the firewall and then steal banking and personal information.
With many health care professionals using programs like facebook, security for social networking is mandatory.
Needless to say that anti-virus and anti-spyware is important. Many of these products slow down machine performance, so for our spyware we have been relying on Webroot's SAAS product. Aside from being small and having a low impact on machine performance, it can also keep up with new malware sites at a faster rate than just about any other technology.
HIPAA Risk Assessments
Since 1996, HIPAA has been more of an unenforced standard than a compliance rule. But with the enactment of the ARRA (stimulus package for health care) the HITECH Act was put into place. The HITECH Act defines enforcement bodies and penalties to health care providers who do not comply. One of the important parts of the HIPAA standard calls for risk assessments. A risk assessments should be the corner stone of any good network security plan. Risk assessments compare policies, procedures, and practices. They can identify the proper amount of effort that should be put into security Patient Healthcare Information (ePHI). And they will show how vulnerable network resources are to threats. In order to stay compliant, over the next year health care providers will be very busy scheduling these assessments with the few companies that offer this kind of service.
Wednesday, March 18, 2009
Malware Hosting Websites Using Geo-Location to Lure Victims
People are going to surf the web no matter what you tell them about security and no matter the policies put in place. It is simply a fact of life for most businesses and their employees. And despite the fact that 2 of the largest bot-nets were recently taken down, those behind the scheme and the threat of web based attacks are still very prevalent on the web and continue to get more and more creative in how they target potential unsuspecting victims. According to a recent article on eWeek.com, these bot-net creators are now luring victims to their infected sites by targeting their geographic location making the emails more believable. The more believable the add or email, the more likely an end user is to click on it.
One of the best ways to help defend your unsuspecting users, and ultimately your network, against these types of attacks is to utilize web proxies that include virus and spyware filtering. These services will stop much of the malware out in the Internet cloud from ever making it to your network and computers. They also offer other numerous benefits such as URL blacklists and productivity increases in your users through the content filtering.
For a link to the article in the title, please click here.
One of the best ways to help defend your unsuspecting users, and ultimately your network, against these types of attacks is to utilize web proxies that include virus and spyware filtering. These services will stop much of the malware out in the Internet cloud from ever making it to your network and computers. They also offer other numerous benefits such as URL blacklists and productivity increases in your users through the content filtering.
For a link to the article in the title, please click here.
Monday, March 2, 2009
Safely Dealing with Facebook in Healthcare
More and more social networks are appearing on the web. Facebook is one of the most popular as of late. Facebook in itself is not bad, but some of the phishing and redirecting websites can be. Doctors of small practices didn't mind social network surfing during breaks, but the cost of potential infection was too high. After much research Network Strategies, inc finally found a solution.
Our web content filter will help protect the clients while surfing. It maintains a list of malware sites that appear each day and protects against surfers from them. It can be used to block content as well as set times when this content is ok to view. Best of all it is affordable and puts little to no overhead on the client machines.
Our web content filter will help protect the clients while surfing. It maintains a list of malware sites that appear each day and protects against surfers from them. It can be used to block content as well as set times when this content is ok to view. Best of all it is affordable and puts little to no overhead on the client machines.
What HITECH Act means to Healthcare?
On February 19th 2009, President Obama signed the HITECH Act into effect. The HITECH Act, which stands for Health Information Technology for Economic and Clinical Health, brings funding and penalties from the HIPAA Act of 1996. Penalties vary from $100 per violation to $50,000 per violations and will be as much as $10,000 to $50,000 if there is willful neglect. The Attorney General was authorized, as of February 19th 2009, to file civil actions for any violations or threat of violations against residents of its state.
Business Associates are also required to follow and comply with all HIPAA compliance mandates. Third party business associates are also subject to CMPs (or Civil Monetary Penalties). On August 16th 2009 security breech notifications requirements will have to be meet. If more than 500 individuals in a particular state are affected then the notice will have to be announced to a prominent media outlet.
So what is the bottom line?
Security policies will need to be created and updated, risk assessments will need to be regularly performed, and security infrastructures will need to updated and audited.
Business Associates are also required to follow and comply with all HIPAA compliance mandates. Third party business associates are also subject to CMPs (or Civil Monetary Penalties). On August 16th 2009 security breech notifications requirements will have to be meet. If more than 500 individuals in a particular state are affected then the notice will have to be announced to a prominent media outlet.
So what is the bottom line?
Security policies will need to be created and updated, risk assessments will need to be regularly performed, and security infrastructures will need to updated and audited.
Subscribe to:
Posts (Atom)
