• Pell Center Hosts Cybersecurity and Healthcare Exercise Ahead of Real-Life Global Cyber Attack

    Senior leaders and security professionals from over 30 healthcare organizations in New England, as well as representatives of the R.I. Department of Health, R.I. Office of the Health Insurance Commissioner, R.I. Commerce Corporation, Newport County Chamber of Commerce, and law enforcement agencies convened at the Pell Center at Salve Regina University on May 10, 2017 to participate in a cybersecurity tabletop exercise focused on specific challenges and potential responses to growing cyber threats in the healthcare industry.

    In a ripped from the headlines twist that preceded the recent “WannaCry” attack, the exercise started with a ransomware attack and continued with a series of cyber intrusion scenarios, such as disruption of services, email spoofing, phishing attacks directed at patients, DDoS attacks, and data exfiltration created to identify weaknesses common in the healthcare industry. The scenario involved real-world cascading effects, including consequences for the provision of healthcare, outcry from patients, and media fallout for the organizations that fall victim to such attacks. The exercise was designed to show how different cyber threat vectors can infiltrate even the most sophisticated computer systems and networks, and also to explore possible remedies, mitigation techniques, and incident responses. Participants worked together on a range of timely and important cyber-related issues, including: incident response and prioritization, data leakage considerations, digital forensics investigations, crisis management, legal and regulatory compliance, and cyber liability insurance. The overall objective was to provide healthcare organizations and state agencies with greater insight into the specific cybersecurity issues they face and to explore possible responses and mitigation strategies that could lead to industry-driven solutions.

    This event, co-sponsored by SecureWorks, PreparedEx, and the Newport Country Chamber of Commerce, was part of the Pell Center’s Rhode Island Corporate Cybersecurity Initiative (RICCI), an ongoing effort aimed at bringing together senior leaders from various sectors in Rhode Island who can affect change and make the state more secure and resilient to cyber threats. Congressman Jim Langevin joined this group of senior leaders for a keynote address on the future of the healthcare law and on best practices to strengthen the cybersecurity posture of healthcare organizations.

    Stunningly, just two days after the Pell Center exercise, the world woke up to the news that “WannaCry,” a new, self-propagating ransomware allegedly stolen from the National Security Agency (NSA), was spreading across thousands of computers around the globe and affecting multiple different entities and industries. The malicious software infected more than 300,000 computers across nearly 150 countries and was dubbed the largest “ransomware” attack on record. Some of the world’s largest institutions and government agencies fell victim, including the Russian Interior Ministry, German transport giant Deutsche Bahn, French automaker Renault, US shipper FedEx, and the Spanish telecommunications firm Telefónica. Healthcare organizations were hit particularly hard given that their computers and network systems are often older, unpatched, and lack strong cybersecurity measures. The British National Health Service was one of the largest institutions affected, with ambulances and doctors’ offices impacted in 45 of its hospitals, cancellation of non-vital surgeries, and certain hospital operations shut down.

    Governments, companies, and security experts from around the world raced to contain the fallout from this audacious global cyberattack amid fears that if they did not succeed or paid the ransom demanded, data would be lost forever. While a British cybersecurity researcher inadvertently found a way to stop the ransomware from spreading after less than 48 hours, the attack was a wake-up call for many organizations in the healthcare sector and set off fears that the effects of the continuing threat will be felt for months, if not years. The following week, a new flaw was found in widely used networking software leaving tens of thousands of other computers and additional medical devices potentially vulnerable to a similar attack, and many of those computers are feared to be too old to be patched or fixed. And while the WannaCry ransomware attack was certainly not the only internationally scaled cybersecurity threat in recent years, this attack’s consequential impacts served as a stark reminder of the significant vulnerabilities at the intersection of technology and medicine, and especially of the threats the use of legacy equipment, lack of cybersecurity professionals in hospitals, and hyper-connectivity of medical devices and hospital networks pose to patient safety.

    With an eye towards mitigating similar cyberattacks and increasing preparedness and resilience to cyber risks, the Pell Center will continue its cybersecurity and healthcare event series this fall with additional seminars, panel discussions, and workshops. In light of the WannaCry attack and the Pell Center’s recent cybersecurity exercise, we also provided a series of tips and recommendations to participating organizations, including to ensure that all software and anti-virus programs are up-to-date; patch operating systems as soon as updates are available; create backups of all important files; align security controls with the risk and impact to the organization; prioritize responses and resources; educate all employees about malicious content and how to identify and avoid it; limit employee access to resources that aren’t necessary for daily workflow; and join forces with trusted third parties, internal staff, law enforcement, and security organizations. Experts from PrepareEx also stressed the importance of conducting more cross-functional crisis management exercises that include the senior leadership team from within organizations, and maintaining well-exercised and regularly updated crisis management and incident response plans.

    For more on RICCI and our upcoming events, click here.

  • Easy Hack May Spark Next Middle Eastern Conflict: Picks of the Week

    The Hack that Caused a Crisis in the Middle East Was Easy | Motherboard

    News Agency Hack Blamed for Diplomatic Meltdown in Qatar | CSO Online

    US Suspects Russian Hackers Planted Fake News Behind Qatar Crisis | CNN

    Will Qatar’s Diplomatic Exile Spark the Next Great War? | Foreign Policy

    A cybersecurity incident at the Qatar News Agency (QNA) may have been the cause behind the sudden diplomatic break between Qatar and multiple Gulf Cooperation Council (GCC) states, including Bahrain, United Arab Emirates (UAE), Saudi Arabia, Egypt, Libya, and Yemen.

    The Qatari government reported that hackers were able to breach their state-owned news agency as well as their Twitter account, subsequently planting a fake news item attributed to Qatar’s emir, Sheikh Tamim bin Hamad Al Thani, purportedly making controversial comments in support of Iran, Hamas, Hezbollah, and Israel, and questioning the political future of U.S. President Donald Trump. The fake news piece was immediately picked up by Saudi and Emirati media and widely broadcasted, while internet access to Qatari media was blocked so that the official denial from Qatari officials could not be read. The move laid the groundwork for the subsequent crisis. Indeed, Bahrain severed diplomatic ties with Qatar shortly after the fake news was widely spread, and within minutes of their announcement, four other GCC states followed suit and announced that land, sea, and air routes had also been cut off. Yemen, Libya, Mauritius, and the Maldives later followed suit and Qatari nationals are now being expelled from some countries in the Arab alliance. The crisis has only escalated since, and could have manifold economic and political effects for the Middle East – as well as alter the course of the region’s many conflicts.

    Qatar is working with the FBI and the British National Commission for Combating Crime (NCA) to investigate the incident, but the damage has already been done and tensions with GCC members continue to mount. Russian hackers are accused, once again, to have been the perpetrators of this latest cyber intrusion and to have planted the fake news story on the Qatar’s state news agency website that led to the split between Qatar and the other Arab nations. Motherboard has reported that the “crisis was sparked by a hack that anyone could have done […] given that the station affected had terrible [cyber]security in place.” U.S. officials have expressed increasing concerns about Russian cyber-hacking measures’ believed to have been used to interfere in the 2016 presidential election, and then used again against American allies. Similar alleged hacks and instances of dissemination of false news articles have occurred in France, Germany, and elsewhere during elections.

    To make matter worse, Qatar-based satellite news network Al Jazeera seems to be the latest victim of an ongoing cyberattack campaign. On Thursday, Al Jazeera stated on its website that its entire Qatar-based network was experiencing “systemic and continual hacking attempts” and that it had been hit by a “cyber attack on all systems, websites, and social media platforms.” The Al Jazeera hack, if related to the series of events that have cascaded in short order since the first handful of Arab countries cut off diplomatic ties with Qatar this week, could further destabilize the situation.

    Whether the alleged hackers are linked to Russian crime syndicates or government agencies, and whether the Trump Administration will be able to interject and defuse what many consider the most dangerous diplomatic crisis in the region in decades remains to be seen. What seems incredible, however, is that even with heightened awareness regarding fake news, easily-hackable social media accounts, and questionable journalism, an apparently unsophisticated cyberattack against a news agency can lead to significant diplomatic problems and potentially trigger an even larger international incident.

  • ‘WannaCry’ Ransomware Attack was a Wake-up Call: Picks of the Week

     

    New WannaCry Cyber Attack Could Target Tens of Thousands of Home Computers | Newsweek

    Hacking Attack Has Security Experts Scrambling to Contain Fallout | The New York Times

    Services Interrupted as Hospitals Push Fixes to WannaCry Ransomware Exploit | Forbes

    Governments, companies, and security experts from around the world raced to contain the fallout from last week’s audacious global cyberattack amid fears that if they did not succeed, data would be lost forever unless ransom demands were met. The efforts came less than a day after malicious software (“WannaCry”) that was stolen from the National Security Agency (NSA) infected more than 300,000 computers across nearly 150 countries in one of the largest “ransomware” attacks on record. Some of the world’s largest institutions and government agencies were affected, including the Russian Interior Ministry, FedEx, German transport giant Deutsche Bahn, and the Spanish telecommunications firm Telefónica. Healthcare organizations were hit particularly hard given that their computer networks are often older, unpatched, and lack strong cybersecurity measures. The British National Health Service was one of the largest institutions affected, with ambulances and doctors’ offices impacted in 45 of its hospitals, cancellation of non-vital surgeries, and certain hospital operations shut down.

    This ransomware began with unsolicited emails, which are typically designed to trick the user into clicking a link or downloading an attachment. Once the link is clicked or the attachment opened, the ransomware leverages a known flaw in Microsoft Windows and begins to replicate itself and spread around whatever computer network that individual computer is connected to.  In addition, the ransomware forces the computer to run the malicious code that encrypts  all sorts of files – once those files are encrypted and locked-away from the user, the attacks then ask for a ransom payment (often in Bitcoin) to release the data. While a British cybersecurity researcher inadvertently found a way to stop the ransomware from spreading after less than 48 hours, the attack has set off fears that the effects of the continuing threat will be felt for months, if not years. This week, a new flaw found in widely used networking software could leave tens of thousands of other computers and additional medical devices potentially vulnerable to a similar attack, and many of those computers are feared to be too old be patched or fixed. And while the latest ransomware attack was certainly not the only internationally scaled cybersecurity threat in recent years, this attack’s consequential impacts served as a stark reminder of the significant vulnerabilities at the intersection of technology and medicine.

    With an eye towards mitigating similar cyber attacks and increasing preparedness and resilience to cyber risks, the Pell Center conducted a cybersecurity tabletop exercise just three days before the WannaCry attacks, focusing specifically on the challenges and potential responses to growing cyber threats in the healthcare sector. The exercise included a similar ransomware attack to the WannaCry one, in addition to a series of other cyber intrusion scenarios (i.e., disruption of services, email spoofing, phishing attack directed at patients, DDoS attack, data exfiltration) created to identify weaknesses common in the healthcare industry. The exercis was also designed to show how different cyber threat vectors can infiltrate even the most sophisticated computer systems and networks, and also to explore possible remedies and incident responses. The overall objective was to provide healthcare organizations and state agencies with greater insight into the specific cybersecurity issues they face and to explore possible responses and mitigation strategies that could lead to industry-driven solutions.

    Various stakeholders participated in this event, including over 60 healthcare providers, practitioners, and insurers,  as well as representatives of the RI Department of Health, RI Office of the Health Insurance Commissioner, and law enforcement agencies. The event targeted not just IT administrators and technicians, but also senior managers, security directors, CISOs, CIOs, communication, and HR personnel who all have important roles and responsibilities during a cyber incident. In light of the WannaCry attack and our cybersecurity exercise, we recommend that organizations ensure all software and anti-virus programs are up-to-date; patch operating systems as soon as updates are available; align security controls with the risk and impact to the organization; prioritize responses and resources; educate all employees about malicious content and how to identify and avoid it; limit employee access to resources that aren’t necessary for daily workflow; and join forces with trusted third parties, internal staff, law enforcement, and security organizations.

    This event was part of the Rhode Island Corporate Cybersecurity Initiative (RICCI), an ongoing effort aimed at bringing together senior leaders from various sectors in Rhode Island who can affect change and make the state more secure and resilient to cyber threats. In addition, Congressman Jim Langevin (RI-D) joined the group a keynote address on the future of the healthcare law and on best practices to strengthen the cybersecurity posture of healthcare organizations.

  • Man using mobile payments online shopping and icon customer network connection on screen, m-banking and omni channel

    Cybersecurity Can No Longer Be Ignored: Picks of the Week

    Why Everything Is Hackable | The Economist

    Hey: Don’t Click That Weird Google Docs Link You Just Got (and Tell Your Mom Not to Click, Either) | New York Magazine

    Getting Beyond Norms: When Violating the Agreement Becomes Customary Practice | Centre for International Governance Innovation

    There’s a good chance you — or someone you know — received an email on Wednesday inviting you to edit a document in Google Docs. Phishing attacks and online scams are nothing new, but the massive attack on Google Docs that hit the Internet on May 3rd took phishing to a new level and spread throughout the globe in a matter of minutes. Most of the emails asking to review or open those Google Docs came from known contacts (colleagues, friends, or family members) and many of them included references to local schools, but all were addressed to a strange contact that boasted a whole string of H’s in its name (hhhhhhhhhhhhhhhh@mailinator.com). If you clicked on the link, it asked for some access permissions to your Gmail account, and then spammed everyone in your contacts with a link to a Google Docs file.

    What the phishing accomplishes in unknown, but the widespread scam made its way across the Internet incredibly quickly, and the attacker potentially had access to multiple victims’ Google accounts and contacts.

    Google promptly responded, disabled offending accounts, and put out multiple social media posts to warn users not to click on those links. While Google estimates that “fewer than 0.1 percent” (or about 1 million) of Google users were impacted and that only contact data was exposed, enough people reported receiving these invites that the hashtag #PhishingScam began trending on Twitter and email inboxes clogged with nearly as many warnings about the scam as instances of the scam itself.

    If you were on the receiving end, hopefully you did not click on the malicious link and simply deleted the malicious email. Many of the school districts affected by the phishing
    scam asked their employees to change their passwords as a preventive measure and called students and parents warning them not to open emails, change their passwords if they had opened them, and report any of those instances to Google. For those who may have been tricked by the attack and clicked on the phishing link, Google also recommends that you visit their account page at https://myaccount.google.com/secureaccount and remove any apps you don’t recognize.

    Cyber threats and phishing attacks are only increasing in scope, volume, velocity, and sophistication. Just in the last quarter of 2016, multiple Internet service providers (ISPs), businesses, and other organizations around the globe were victims of a variety of disruptive and damaging distributed denial of service (DDoS) attacks. In October 2016, a piece of malicious software called “Mirai” was used to turn thousands of insecure Internet-connected devices into remotely controlled “bots,” which were then used to flood the Domain Name System (DNS) infrastructure and Internet provider Dyn in the US, knocking off-line many of its customers, including PayPal, Twitter, Reddit, The New York Times, Spotify, Airbnb, and others. In November 2016, the Mirai software was used again in Europe, knocking nearly 1 million Deutsche Telekom customers off-line. This time, the malicious software attempted to infect routers and thus could have affected a much broader part of the Internet’s infrastructure. The Mirai attacks have highlighted various vulnerabilities and the lack of security of the “Internet of Things” (IoT) and the “smart” devices it comprises. As Melissa Hathaway, former cybersecurity adviser to U.S. Presidents George W. Bush and Barack Obama, explains in her latest piece on the breakdown of international norms of responsible state behaviors in cyberspace: “the Mirai attacks also highlight why the Internet’s security and stability is an international issue. As countries continue to embrace the economic opportunities of becoming more connected to the Internet and adopting and embedding more IoT devices in every part of life, they must also prepare for the misuse of those same ICT-based devices.”

    The fact that cybersecurity made the front page of a magazine like The Economist (usually written about making money) is a pretty big deal economically speaking and the gloomy prediction is troubling. The article, headlined “Why everything is hackable,” noted how profitable it is for malicious actors to exploit vulnerabilities and prey on people’s ignorance or ingenuity. With the availability of ransomware and exploit kits readily available on the Dark Web, initial investment is low, and the potential revenue generation is high. The article cleverly pointed out that high tech companies “value growth above almost everything else,” and there is a mentality of “Ship it on Tuesday, fix the security problems next week – maybe.” I sadly have to agree, and fear that this mentality has further disincentivized tech companies from developing well-engineered products with less vulnerabilities and increased redundancies. The Economist recognizes that these and many other cybersecurity issues are a serious problem and, while it might have been excusable to overlook these issues when the Internet was new, this is no longer acceptable or feasible in today’s highly connected world. – Senior Fellow Francesca Spidalieri

  • Is your phone or smart home device spying on you? Picks of the Week

    Are your sensors spying on you? | Science Daily

    Amazon Makes the High-Performance 7-Mic Voice Processing Technology from Amazon Echo Available to Third-Party Device Makers | Amazon

    Hackable IoT washing machine provides channel for breaching hospital IT | CyberScoop

    Technology is infused in our modern life. Attempts at attaining perspective often fall to historical comparisons. Images frequently circulate of warehouse-sized computers from the 1960s which can hardly compare to the computer power, size, speed, and functionality that even a low-end smartphone possess today. Much has been written on the blistering pace this technological infusion has taken since those early images. Innovation in the technology sector barrels forward. For a short golden age, we marveled at the change, the improvements in our daily lives, and the increase in efficiency, productivity, and global reach that technology afforded us. Yet, in our haste to constantly deploy new technology, masked in a liberative utopian narrative, we may have missed a shift. A slope downward from our zenith. The host of new technology, now pervading almost every aspect of our lives, paired with our physical proximity to all those technologies and connected devices and sensors, creates a variety of privacy and security problems.

    A smartphone is a patchwork of technology. Complementing the most obvious sensors (e.g., touch screens, microphones, cameras), smartphones have also Global Position System (GPS) connections, accelerometers, gyroscopes and orientation sensors, bluetooth, light sensors, and Near Field Communication (NFC) to name just a few. Culturally, we have acclimated to living with smartphones in our hands for an average of ~9 hours a day. The constant connection and instant feedback this miniaturized computer affords us creates a bargain: we must provide our phones the information it asks for and allow it to “follow” us around. When installing any smartphone application, the app will proposition a phone for permissions, asking the phone for the ability to interface with sensors on board. Most users do not read the permissions when installing an app, and even if they did and wanted to refuse any part of it, they would not be able to install the app. Some of the sensors built in those devices do not even require permissions to access the data on the phone. While using our smartphones for simple tasks, a number of apps interface with a multitude of sensors in any given moment. Recently, researchers in the United Kingdom revealed the ease with which malicious websites, as well as installed apps and built-in sensors, can spy on us and be exploited by hackers, in one case using the orientation sensor (the sensor phones use to calculate which way it is facing) to crack the pin number of the user. Despite the variety of cyber threats these vulnerabilities expose us to from phishing attacks to identity theft, research shows that people are unaware of the risks and most of us have little idea what the majority of the 25+ different sensors available on current smartphones do.

    Our closeness with technology has expanded outward from our pockets and personal computers. The rush has served to saturate the “real world” with Internet-enabled devices. Recent events have highlighted the potential danger of our increased reliance on technology, and media reports have highlighted a series of vulnerabilities in popular consumer-oriented, Internet-connected light bulbs, DVRs, thermostats, security cameras and GPS trackers. In October, hundreds of thousands of insecure IoT devices were used to launch a large-scale distributed denial of service (DDoS) attack on the Domain Name Service host “Dyn” interrupted service for swaths of the Internet. The attack is believed to have launched from compromised “Internet of Things”(IoT) enabled devices, like DVRs, cameras, and baby monitors. Other IoT devices like Amazon’s Echo and Alexa have come under intense scrutiny over concerns of information collection and utilization. Records collected by Alexa are stored by Amazon and have often been subpoenaed by law enforcement, and Alexa records have even been sought as evidence in at least one murder case.

    The metaphor used ad nauseum of our current situation is Jeremy Bentham’s panopticon, a circular prison in which a guard can watch all prisoners but the prisoners are never sure if they are being watched. For Bentham, the possibility of always being watched would keep the prisoners behaved. In the modern world, we are always being watched but, unlike Bentham’s prisoners, we are not held in a prison cell. To keep ahead of these developments at best appears overwhelming, and at the worst sisyphean. Privacy, as we conceived by modern society, may be on the path to extinction, but as consumers we can hold on to modicums. Paying attention to the permission requests of apps on your smartphone, reading carefully the functionality of new devices purchased, checking what purchases require an Internet connection, only installing applications from approved app stores, and keeping our phone operating system and apps up-to-date can be effective steps to preserve those remaining fragments of privacy and certainly increase our security online. Encouraging awareness and piecemeal observations may seem a lackluster solution, but it requires a necessary self-reflection on the intent and purposiveness of our technology, and the nature of our increasingly connected society and ‘always on’ devices. – Francesca Spidalieri and Francis Quigley

  • More Women Needed to Close the Cybersecurity Workforce Gap: Picks of the Week

    The 2017 Global Information Security Workforce Study: Women in Cybersecurity | Center for Cyber Safety and Education, (ISC)2, and the Executive Women’s Forum
    No Woman’s Land: Cybersecurity Industry Suffers from Gender Imbalance, Discrimination | Law.com
    Women May be the Key to Unlocking Cybersecurity Workforce Deficit Puzzle | Bloomberg

    Information security demand is far outpacing the supply of knowledgeable and experienced cybersecurity professionals capable of addressing the numerous cyber threats that the modern world is faced with. The widening gap between the burgeoning demand for cybersecurity talent and the supply of a professional workforce has been a common theme throughout my studies in the past few years. As I wrote before, the shortage of a highly trained cybersecurity workforce can be felt across all sectors, from the federal government to Fortune 500 companies, with potentially negative consequences for national security and the global economy. Over 209,000 cybersecurity jobs are currently estimated to be vacant in the United States alone, with the number predicted to rise to 1.8 million globally by 2022.

    The tech and cybersecurity industries are among the most in-demand, profitable, and critical fields in modern history. But, although cybersecurity professionals are in great demand and can command impressive salaries, there is still a critical shortage of talent worldwide and, in particular, of women – who represent an astonishingly low number of current professionals in the field and who face a much harder path to reach the upper echelons of the corporate world.

    According to a new report, while women represent 43% of the global workforce, they only fill 11% of cybersecurity positions. The newly released Women in Cybersecurity workforce study, published by the Executive Women’s Forum on Information Security, Risk Management and Privacy (EWF), and the Center for Cyber Safety and Education, sheds light on the persistent challenges that women face when entering this growing field due to wage gaps, missed or delayed promotions, and discrimination. The study surveyed over 19,000 information security professionals from 170 nations.

    As the Lynn Terwoerds, EWF Executive Director, said in a press release: “the under-representation and under-utilization of female talent is both a critical business issue and a hindrance to the development of world-class cybersecurity organizations and resilient companies, as well as the overall safety and protection of our country.” The new report found also that women in cybersecurity earn less money than men at every level, are four times less likely to hold executive positions, and are nine times less likely to hold managerial roles, despite having higher levels of education and certification than men (half of the women surveyed held a master’s degree or higher, compared to 45% of men).

    The shortage of cybersecurity professionals, and especially women, is often exacerbated by a lack of objectivity and consistency in competency models and measurements to ensure men and women are entering and moving up in the industry equally, and by unconscious and conscious biases present all the way through the recruiting and hiring performance evaluations. These endemic aspects are compounded by a lack of clarity in job descriptions, competing professional certifications, and multiple different training and education standards, which in turn make it harder for organizations to properly identify, recruit, place, and manage the cybersecurity workforce they need.

    Solving complex problems, such as preventing, responding to, and mitigating sophisticated cyber threats, requires diverse experiences, different talents and backgrounds, and many ways of thinking. We cannot expect to close the widening gap between supply and demand of cybersecurity professionals without including more women and minorities, so diversity has to be part of the solution.

    While no single panacea exists to attract more women to this growing field and to close the workforce gap to equilibrium, organizations in both the public and private sector can start by focusing on developing programs to further educate and retain their existing workforce. This include: ensuring that all staff is regularly trained and tested so that they understand and fully appreciate their role in maintaining a strong cybersecurity posture; providing employees with opportunities to connect with mentors within and outside of the organization to help navigate some of the perceived or actual barriers and to further develop their skills; offering other incentives such as flexible work hours and paid maternity leaves; and addressing the wage disparity issues by establishing clear pay structures based on merit and movement through the profession. Leadership, sponsorship, and skill development programs can also help build the pipeline, since women who’ve completed these programs report feeling more valued in their organizations, according to the study. Other effective mechanisms that can help organizations identify, recruit, manage, and retain cybersecurity professionals, including women and minorities, include: taking a proactive role in promoting gender diversity in the cybersecurity field; looking at the universities that have higher percentages of women and minorities participating in cybersecurity or related programs and recruiting from these institutions; joining other recruiting alliances that promote workforce diversity; placing increased value on real-world experience (versus solely qualifications); and establishing an employee referral program to recruit talented and trusted cybersecurity professionals from employees’ personal networks (e.g. universities, professional associations).

    Addressing the critical pipeline issue of women in the cybersecurity workforce, however, has to start at the leadership level. Senior leaders need to commit to reversing this trend — from our universities to our board rooms — and working to create a workforce with a diversity of thoughts, genders, and backgrounds before the issue becomes irreversible. – Senior Fellow Francesca Spidalieri

  • Trump, Twitter, and the Tide of Cybersecurity: Picks of the Week

    Obama officials: There is hope for cybersecurity under Trump | The Christian Science Monitor

    At RSA, doubts abound over US action on cybersecurity | CSO Online

    The Rules of the Brave New Cyberworld | Foreign Policy

    This year’s RSA Conference—one of the largest cybersecurity conferences in the world—broke attendance records with over 40,000 participants, including cyber professionals, academics, and public servants. Although the conference has historically been focused primarily on security tools and technologies, it has increasingly attracted policy-makers and government officials as both attendees and keynote speakers in an effort to obtain the government’s views on cybersecurity, to facilitate government interaction with cyber experts, and to encourage the tech industry to work collaboratively with the government.

    Markedly absent from the crowd this year, however, were officials from the Trump Administration.

    While no one from the current administration appeared to be in attendance, the impact of ‘cyber insecurity’ on government was widely discussed, as many panels and side events explored cybersecurity policy and government responses to cyber attacks. A leaked draft of an executive order on cybersecurity provided the fodder for much of the discussion, however the order itself has been in limbo as the Trump Administration remains entangled in controversy around its other executive orders and actions.

    The leaked draft of the executive order on cybersecurity received mixed responses from the community of cyber professionals and industry experts, largely because there was not much in it beyond past policies established by the Obama administration, and a request for federal agencies to report back to the White House within 60 to 180 days.

    In the meantime, there is an increasing push in Congress for a full investigation over the alleged Russian meddling in the 2016 presidential election. The Trump Administration’s plans to improve U.S. cybersecurity for the government and the private sector—or to commit to any sort of norms of state behavior in cyberspace—remain unclear. On the campaign trail, Mr. Trump had vowed to make cybersecurity a top priority if he were elected, and even promised comprehensive reports from intelligence officers on hacking by foreign actors.

    The reality of governing has seemed to transcend the promises of the campaign trail, however, as cybersecurity appears to have taken a backseat to other issues facing the Trump Administration. Some of the participants at the RSA conference, such as Virginia State Governor Terry McAuliffe, suggested that instead of waiting for the federal government to act, it might be up to the states to assume a larger role in promoting cybersecurity. Indeed, as I have argued before, states cannot wait for the federal government to provide all responses and solutions before taking action, and they must start developing comprehensive strategies to strengthen their cybersecurity posture, improve their cyber resilience, and ensure that their citizens can rely on safe and secure Internet connectivity.

    In an effort to address cybersecurity headwinds, various committees, think tanks, and experts have published a variety of policy proposals and reports in recent months for the Trump Administration to consider, and have emphasized that the new president begins his tenure at a time of considerable cyber risk to the U.S. government and businesses, and a growing public awareness of these issues.

    As cyber threats continue to grow in scope, volume, and sophistication, however, there are relatively few indications as to how the Trump Administration will approach the significant cybersecurity challenges that the government will need to address both domestically and internationally, and how it will prioritize competing interests. It remains to be seen how an administration highly skeptical of active government regulation will contend with a problem that, because of its scope, will likely require the federal government to take a leading role. It also remains unclear whether the President’s use of Twitter will eventually bring cybersecurity issues to the forefront.

  • Data Privacy Day: How to Protect Yourself and Your Organization Online: Picks of the Week

     

    Americans and Cybersecurity | Pew Research Center

    Data Privacy Day: Easy Tips to Protect Your Privacy | Forbes

    Data Privacy Day: know the risks of Amazon Alexa and Google Home | Naked Security

    Champion Badge.fwToday is Data Privacy Day (DPD), an international effort held annually to raise awareness about data privacy and promote data protection best practices. This event is celebrated every year on January 28th in commemoration of the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Across the country and around the globe, organizations like the Pell Center at Salve Regina University have held DPD events throughout the week aimed at raising consumer and corporate awareness about data privacy issues, including the Internet of Things (IoT), data breach security, identity protection, and sophisticated new cyber threats.

    While this year’s theme is focused on Respecting Privacy, Safeguarding Data, and Enabling Trust, many of the discussions around the country have centered around the implications of IoT devices – from fitness trackers to cars, smart TVs, baby monitors, children’s toys and any other device that is being connected to the Internet – on security and privacy. The sensors embedded in these devices and their deep penetration into people’s lives, businesses, and homes enable them to listen to our conversations and collect incredibly private data about individuals and organizations, which in turn could be used to quickly triangulate people’s identity from mere fragments of data, exposing our lives to a variety of cyber threats. Indeed, while the IoT allows for virtually endless opportunities and connections to take place – many of which we haven’t even thought of today – experts from tech companies, watchdog organizations, and universities agree that these devices also open up more avenues for companies, hackers, and governments to violate our privacy.16251575_1251988678181581_3985538137095730250_o

    With new data breaches emerging daily and an increased use of information as a tool of political warfare, individuals and organizations should take advantage of every opportunity to discuss the importance of protecting personal data and empowering leaders to take better actions to safeguard information and digital assets. Ensuring the integrity of data and controlling its use is critical to maintaining trust not only in private companies, but in public institutions and government leaders’ ability to make decisions. This not only means having the right policies and security solutions in place, but also making sure everyone in every given organization that comes into contact with confidential data knows how to protect it. Organizations should recognize that data privacy starts with the individual users and that employees can actually become the first line of defense if they receive proper training and know what they can do to not only protect their organization, but also protect their own personal information. As many of the events hosted throughout the week – including at the Pell Center – reminded us, holding regular data privacy and cybersecurity seminars and trainings for employees can serve to develop a culture of security and privacy across the entire enterprise, communicate internal cybersecurity policies and procedures, address specific security and privacy issues, and remind everybody of their fundamental role in maintaining an organization’s strong cybersecurity posture.

    Basic tips for any individual to be safer online include locking down logins, adopting dual-factor authentication, making sure all Internet-connected devices are up to date, and if something looks suspicious, deleting it instead of clicking on it or opening an attachment. A few other recommendations include:

    • Share with care – What you post can last a lifetime: Any information you share online can easily be copied and is almost impossible to take back.
    • Personal information is like money. Value it. Protect it.: Information such as your online purchases, web searches, and contact lists has value ‒ just like money. Understand the value of your information and be more selective with the information you provide to apps and websites.
    • Post only about others as you would like to have them post about you: Remember the golden rule and that it applies online as well. What you post online can positively or negatively impact other people.
    • Own your online presence: Review your privacy and security settings on your apps, games, and social media platforms.
    • Don’t connect sensitive accounts to your smart home devices (e.g. Echo, Alexa) and mute them when not in use: The mute/unmute button is right on top of the device. The “always listening” microphone will shut off until you’re ready to turn it back on.
    • Stay current. Keep pace with new ways to stay safe online: Keep up with new technology and ways to manage privacy. Visit staysafeonline.org or other trusted websites for the latest information about ways to stay safe online.

    privacyRaising visibility of initiatives like DPD and spurring ongoing discussions will help to maintain global awareness, even as single celebrations and cybersecurity headlines fade from the front page. While recent research shows that half of Americans feel that their personal information is actually less secure than it was 5 years ago, the hope is that efforts like Data Privacy Day continue to increase individuals’ awareness about safeguarding their own privacy and highlight why it’s important for nations, organizations, and people to be responsible data stewards.

     

     

  • Binary code on a surface of a planet

    Will 2017 finally be the year of cybersecurity? Picks of the Week

    From Awareness to Action: A Cybersecurity Agenda for the 45th President | CSIS

    Russian Hacking Illustrates Increasing Role of Cybersecurity in Geopolitical Warfare | The Hill

    In 2017, real action on cybersecurity will happen after loss of life | CSO Online

    Cybersecurity stories dominated the headlines in 2016, so it is unsurprising that new reports and many cybersecurity experts claim that 2017 will see continued nation-state cyber attacks, bigger and more damaging data breaches, targeted ransomware and Distributed Denial-of-Service (DDoS) attacks, and longer downtime and increased financial costs caused by successful attacks.

    Organizations in both the public and private sectors strengthened or launched new cybersecurity initiatives in the past year, including addressing issues such as endpoint security, cloud security, cybersecurity funding, security controls, and cybersecurity staffing.  This is important because 2016 was a year of unprecedented cyber attacks and massive data breaches, from the high-profile hacks of Democratic political organizations by the Russian government in an attempt to discredit American democracy and interfere with the US election, to the mega breaches that plagued Yahoo, LinkedIn, and numerous others (compromising millions of personally identifiable information and other sensitive data in the process), to cyber disruption involving critical infrastructure services such as the attack on the Ukrainian power grid by Russian hackers, to blackmarket ransomware and DDoS attacks that can take control of critical IT systems and then leverage it for extortion.

    Much of what we saw in 2016 will evolve in complexity, scope, and sophistication in 2017. Cybercriminals will continue following the money trail, with ransomware and DDoS attacks becoming more widespread and increasing in scope and severity. Hackers will continue finding new vulnerabilities to exploit and ways to evade detection systems. Nation-states will increasingly rely on cyber espionage and cyber warfare as instruments of state power in order to gain an advantage on the battlefield, infiltrate and manipulate critical infrastructure services, such as the case with the Ukrainian power grid, and coerce adversaries toward a desired outcome. At the same time, U.S. and international law have not kept pace with technological innovation and enforcement of existing laws in cyberspace is intrinsically difficult, with some countries still refusing to cooperate in prosecuting cybercriminals.

    We’re now at a tipping point in the digital age and the Internet economy: as we continue to adopt the Internet of Things (IoT), embed connected devices into all our essential services and every part of our lives, and rely more than ever on technologies that are inherently insecure, we’re also becoming increasingly less resilient and exponentially more vulnerable to cyber attacks.

    Cybersecurity is not a new problem, nor is it a unique concern to world powers, large companies, or specific sectors. Despite an exponential increase in attention and awareness about cybersecurity and much activity on the international stage and within government to tackle these issues over the last decade, we are still at risk (and increasingly so!) and much is left for governments and organizations around the world to do to ensure a secure and stable digital environment that promotes innovation and supports continued economic growth, while also protecting personal freedoms and national security.

    A new report released this week by the Center for Strategic and International Studies (CSIS) addresses these specific issues and provides detailed recommendations for the next administration to strengthen the cybersecurity posture of the United States. The CSIS Cyber Policy Task Force behind the report included members of Congress and identified specific policies, organizational improvements, and resources needed for progress in this challenging area. The report, titled “From Awareness to Action: A Cybersecurity Agenda for the 45th President,” builds on the report published in 2009 by the Commission on Cybersecurity for the 44th Presidency – a foundational document for creating a strategic approach to cybersecurity – and follows the December report of the Commission on Enhancing National Cybersecurity, established by President Barack Obama in February 2016. Two of its widest-ranging recommendations included the creation of an appointed post of assistant to the president for cybersecurity and the establishment of a new program to consolidate all civilian agencies’ networks into a single network. CSIS’s report included the first, but not the second.

    As Sen. Sheldon Whitehouse (D-RI), Ranking Member of the Senate Judiciary Subcommittee on Crime and Terrorism who served as co-chair of the CSIS Cyber Policy Task Force, said upon the release of the report, “this past election has proven just how important it is for the President-elect and his national security team to appreciate the scope and the severity of the cyber threat.” Building on strategies the Obama’s administration established, the CSIS report recommends that the next administration improves and reorganizes oversight authorities, elevates the role of the White House cybersecurity coordinator, establishes an independent cyber agency within DHS and a Division of Data Protection within the Federal Trade Commission, clarifies the cyber defense roles of civilian and military agencies, better secures critical infrastructure and services, and works closely with allies against common cyber threats.

    Although President-elect Trump continues to express skepticism about the Russian government’s attempt to orchestrate pre-election cyber attacks to undermine the U.S. democratic process and has yet to offer details about his cybersecurity priorities and agenda, this report will hopefully provide a blueprint for the next administration to follow since one of its key authors, Karen Evans, is now a member of the Trump transition team.

    Will 2017 finally be the year of increased cybersecurity? And what will it take?

  • Don’t Get Grinched by Cybercrime During the Holiday Season: Picks of the Week

     

    “Holiday shopping by mobile phone? Beware fake apps and bad Wi-Fi hotspots” – Computerworld

    Worried about Black Friday Cyber Scams? 6 Ways to Protect Your Money” – Forbes

    “5 Ways Retailers Can Stay Safe Over the Holidays” – Dark Readings

    The holiday shopping season is about to get into full swing and retailers are gearing up for another record season of online sales. Research group eMarketer expects that online retail sales will bring in at least $94 billion – or 10.7% of the total retail sales – from now until the end of the holidays, a 17.2% increase in online sales from last year.

    But as millions of consumers pick up their smartphones and tablets to go holiday shopping and flock the Internet as their preferred, convenient “one-stop-shop” for all gift-buying needs, hackers and cyber criminals are not too far behind… In fact, this is prime cybercrime season for digital crooks timing their phishing emails, malicious links, and other online scams and attacks to Black Friday, Cyber Monday, and through the rest of the holiday season. They prey on the naiveté of shoppers looking to score a holiday deal or take advantage of a special reward to trick them into downloading malware, giving up login credentials and credit card information, or send payments to bogus sites.

    Consumers and retailers alike should be prepared for an even higher risk of online fraud and social engineering scams across all channels than in past years. A new report from cybersecurity company Kaspersky Lab shows that the number of online attacks during this high sales season is 9% higher than the average number of attacks that happen during other months of the year, and 2016 is on track to be a record season for online sales… and online scams!

    While security experts continue to work to find possible solutions against the latest malware and scam techniques, here are some of my yearly  tips on how to protect yourself from online Grinches this holiday season:

    • Before, during, and after the holidays, keep an eye on your bank and credit card accounts for signs of suspicious activity, mystery charges, or “micro-charges” – Hackers often test cards to see if they are valid by charging small amounts of $1 or $2. If those cards are found to be valid, they can then sell them to other crooks for a premium. If you notice any unauthorized charges, immediately contact your bank.
    • Buy only from reputable merchants and recognized websites – Be wary of emails and pop-up messages asking for your password, credit card number, or personal information. No established business would ask consumers to disclose such information via email or pop-up. Do not reply or click on the links in these messages as they may take you to copycat malicious websites. Instead, look for the ‘HTTPS’ in the address bar of your online retailer and check the specific email address and domain name of the sites to make sure it’s really from the retailer and not a close derivative. If in doubt, contact the legitimate organization directly to verify authenticity.
    • Be aware of fake commerce apps – Download apps only from Google and Apple official app stores – which have more rigid requirements for banning malicious apps – and be skeptical of apps that ask for suspicious permissions like access to contacts, text messages, stored password, or credit card information.
    • Avoid “free Wi-Fi networks” – Don’t use public Wi-Fi networks, especially when using your phone for banking and e-commerce. Personal and banking information should never be sent through unsecured wireless connections in public places. Get you Starbucks Peppermint Mocha and don’t stay for the free Internet!
    • Be skeptical of deals that sound too good to be true – Do not fall for rock bottom bargains unless you make certain they are legitimate by contacting the merchant and asking questions before making a purchase. If a deal seems too good to be true, it probably is!
    • Be alert for potential charity donation scams – Think before clicking on emails requesting donations. Make a contribution by navigating to the trusted web address of the charity, never through a link in an email.
    • Use strong passwords and dual-factor authentication – Create long, complex passwords using upper and lower-case letters, special characters, and numbers, and use a different one for each online account. Various password management programs (1Password, KeePass, or LastPass) exist to help you manage your various passwords so that you are not overwhelmed. These programs are safe and secure, and they can generate hard-to-crack passwords for you.
    • Do not send cash or wire money for payment – Pay with a credit card or, even better, gift/charge card. The best option is to keep a separate credit card for online purchases.
    • Secure your computer and mobile devices – Update your devices to the most current operating system and keep your anti-virus and anti-spyware software up to date, along with your firewall. They will help monitor all online activities and protect your devices from viruses, worms, Trojan horses, and other types of malicious programs.

    Some additional tips on how to protect your company from cyber threats and strengthen your overall cybersecurity posture:

    • Protect your organization’s endpoints and servers – Scan your organization’s network environment for threats that may have been lurking for several months before surfacing as a malicious attack during the holidays. Harden your servers with good access control and security tools such as antivirus and antimalware software, and run frequent patches and updates. Consider advanced endpoint threat prevention tools that protect memory from experiencing distributed denial-of-service (DDoS) attacks and other complex advanced threats.
    • Train your organization’s workforce – Before the holiday season starts, make sure all your employees receive at least some basic training in cybersecurity and cyber hygiene, and create an environment where they feel comfortable coming to managers if they see any suspicious emails or files.
    • Have a documented and tested incident response plan in place – Make sure your employees know what to do and who to contact if they see something suspicious, and establish clear roles and responsibilities before a serious breach happens. The incident response plan should be regularly exercised and updated.
    • Create a culture of security that starts from the top – if management is committed to a culture and environment that embraces honesty, integrity, security, and ethics, employees are more likely to uphold those same values. Cybersecurity is a shared responsibility!

     

Page 1 of 712345...Last »