• Unlocked cybersecurity graphic

    The Equifax Breach is a Case Study in Why We Need a National Data Notification and Protection Law: Picks of the Week

    “The Time is Now for Congress to Act of a National Data Breach Notification Law” | The Hill

    “Equifax Breach Prompts Scrutiny, but New Rules May Not Follow” | The New York Times

    “The single most depressing thing about the Equifax breach” | The Washington Post

    It took over six weeks for credit bureau Equifax – one of the three major credit reporting firms in the U.S. – to disclose the massive data breach that potentially compromised confidential information of 143 million customers – or nearly half of the U.S. population. Aside from the reports on the company’s sloppy cybersecurity measures that made it a low-hanging fruit for hackers and its subsequent handling of what appears to one of the worst data breaches in recorded history, the fact that the company took so long to notify customers is appalling – but given the patchwork of data breach notification laws in the US and the still-too-common disregard for industry-wide cybersecurity standards, it was not all that surprising.

    Breached companies often choose to delay notification of hacks, putting customers at risk while avoiding consequences. While there may be legitimate reasons to delay informing consumers about a data breach, such as an ongoing criminal investigation by law enforcement or the need to assess the full scope of the hack and extent of the damage before letting consumers know and possibly causing panic, companies often wait to go public about a data breach because they fear the damages a hack will have on their reputation, customer trust, stock value, and overall revenues.

    In the case of Equifax, the company’s slowness first in patching a known vulnerability and then in effectively responding to the hack and notifying customers, combined with its high-level executives who apparently sold off almost $2 million worth of stocks days after the breach was discovered, shows a complete lack of leadership and real concern about customers’ privacy and security. Equifax has yet to disclose why it waited so long to inform customers about the breach and, in the meantime, two top executives have stepped down, the legal team and the Board are bracing for probes by the federal and state authorities and a slew of class-action lawsuits, and the CEO is preparing to testify before the U.S. Congress.

    What sets Equifax’s breach apart, however, has less to do with their undue delays or with the numbers of records breached – Yahoo’s data breach last year affected as many as one billion accounts – than with the high-value of the data exposed. The data that was accessed by still-unknown hackers includes a trove of names, birth dates, Social Security numbers, addresses, driver’s license numbers, and even credit card and bank account numbers. Even individuals that never used Equifax were affected. Indeed, consumers have almost no control over whether their information is absorbed into credit bureaus like Equifax, Experian, and Trans Union, and do not have to provide consent for them to use and process their personal data. If you ever applied for a mortgage, a credit card, a cellphone plan, or to buy a car, Equifax, or a similar company likely has your information which is used to rate your credit-worthiness to banks, home sellers, auto sellers and others.

    With so much personal information, criminals can easily impersonate you, take out new lines of credit in your name, file fraudulent tax returns, take out prescriptions, and craft even more sophisticated phishing emails and scams. This type of cyber risks are not isolated to Equifax, but this massive data breach revealed another inherent flaw in the U.S.: the over-reliance on Social Security numbers and the skewed credit reporting system that is in urgent need of reform. The wide use of SSNs in both government and private sectors, and the ease of using it to access highly-sensitive accounts, has made hacking systems such as credit reporting agencies even more appealing to cyber criminals.

    A breach of this proportion should serve as a warning both for policymakers and customers about what may lie ahead. Breaches will only continue to grow in number, volume, and sophistication. As more information becomes digitally available, our data becomes more at risk than ever.

    Unfortunately, companies are not incentivized to prioritize security, resiliency, and privacy, and there is little national oversight on how companies handle data. Indeed, most companies constantly collect and store data even just because they might want to use it sometime in the future – there is no law that forces them to only collect the bare minimum of data necessary, or that limits how long a company can store data, or that requires to encrypt everything they collect, or that imposes regular security audits. When it comes to notifying consumers that their data has been stolen, laws in the U.S. vary state to state and differ in how much time and how much information companies are required to divulge, and whether to notify other parties beside the affected people (such as state attorney generals, credit bureaus or regulators). Past calls in Congress to establish a nationwide standard have repeatedly fizzled. The result is a muddled patchwork of 48 different state laws governing data breach notification, and timing is only specified in eight states and varies anywhere from 10 to 90 days. Rhode Island’s law, for instance, requires notification to be made within 45 days from the discovery of a breach. Georgia – where Equifax is based – has no timeline specified for when a company must notify customers about a breach. Alabama and South Dakota don’t even have a data breach notification law on the books. For comparison, the European Union’s new General Data Protection Regulation, which comes into effect next year, requires that any data breach be reported within 72 hours.

    Big hacks like the Equifax fiasco put into context just how much control organizations have over our personal information, how much information is regularly collected, and how valuable (and vulnerable) that information is. But as the digital world increasingly dictates where we work, play, and live our lives, we need to have control — or at the very least, basic knowledge — over what data is being collected about each one of us, where it is stored, who has access to it, and how it is being protected.

    While Congress debates the merits of the various proposals to establish a national data notification and protection law, if you were a victim of this latest enormous breach (assume you were!), here are a few things you should do to protect yourself:

    • Check your credit accounts immediately and regularly for any suspicious activity, and continue to monitor your credit card and bank accounts for the foreseeable future;
    • Set up a fraud alert;
    • Freeze your credit accounts – meaning no one can open an account (transfer money), buy a car, house or other big item – using your SSN, CC, bank account, etc.
    • Set up two-factor authentication on important financial accounts to deflect hackers with stolen information;
    • If you have children, enroll them into allclearid.com/ .
  • Ipad with HBO's Game of Thrones on the screen.

    Game of ‘pwns’: Cybersecurity Lessons from the latest HBO Hack – Picks of the Week

    Hackers Demand Millions in Ransom for stolen HBO Data | Associated Press

    Spoiler Alert: Hackers Are Gunning for Hollywood | Variety

     The HBO Hack Was Reportedly up to Seven Times Larger Than the Sony Hack | Vanity Fair

    It seems that no one can escape cyber threats or data breaches these days – everything from political parties to the King in the North – appear vulnerable to attack.

    The latest victim in a string of embarrassing and potentially highly damaging data breaches that have affected the entertainment industry in recent years is Home Box Office Inc., more commonly known as HBO. The HBO hack, first reported over the weekend, seems to be larger than initially believed, and the leaks have included internal documents, images, videos, and personal information of an HBO senior executive. Upcoming episodes from multiple shows – including Ballers, Insecures, and Room 104 – along with draft scripts of the popular Game of Thrones were also made available online. The network issued a take-down notice to Google, demanding links to the leaked information be removed, but in a new twist of events the hackers – who reportedly stole 1.5 terabytes of HBO shows and confidential corporate data – released a second dump of sensitive proprietary data and demanded a multimillion-dollar ransom from the network to prevent additional leaks.

    The group of hackers delivered its ultimatum through a swaggering five-minute video from “Mr. Smith” – the name that the group is using to identify itself – to HBO CEO Richard Plepler. In short, they asked to be paid the equivalent of their “6-month salary in bitcoin” within 3 days to stop the leaks, and claimed to earn upward of $15 million a year by blackmailing organizations whose networks they have penetrated.

    The hackers claimed it took them about 6 months to breach HBO’s network, and to have spent a half-million dollars per year to buy “zero-day” exploits that allowed them to break into their corporate networks through vulnerabilities not yet know to Microsoft and other software companies. They also bragged about HBO being the hackers’ 17th target and that only three previously victimized companies refused to pay. HBO is continuing to investigate the hacks and is working with police and cybersecurity experts, but it remains unclear how extensive the hack really was, how disruptive it will be to HBO’s business and employees, and whether the hackers will release the more explosive material they promised if the ransom isn’t met.

    So far, the HBO leaks have been limited and have fallen well short of the chaos inflicted on Sony Pictures Entertainment in 2014. In that cyber attack, a group of hackers known as the “Guardians of Peace,” allegedly associated with North Korea, leaked thousands of humiliating and damaging emails and personal information, including salaries and social security numbers, of nearly 50,000 current and former Sony employees. The group demanded that Sony halt the release of one of their major motion pictures that year – The Interview – threatening terrorist attacks and causing Sony to cancel the film’s premiere and mainstream release. Ultimately, the 2014 Sony hack resulted in the resignation of senior executive Amy Pascal and in a multi-million-dollar settlement with the studio’s employees.

    While the Sony hack definitely got the attention of executives across the entertainment industry, and while this and other major cyber incidents led to a shift in attitudes toward security, many experts argued that Hollywood studios were still not doing enough to prevent the next big data breach and warned that it was just a question of time before we would see another incident of the same or increased magnitude. Recommendations poured into Hollywood studios and cybersecurity companies flourished since, offering all kinds of technical solutions – from better firewalls to intrusion detection systems, network access control, cloud service security products, etc. The entertainment industry, however, has continued to focus on perimeter defenses instead of investing on risk mitigation strategies and more proactive measures, like using digital rights and content-management solutions to share and control how entertainment companies collaborate on content without putting it at risk of being compromised. These tools can increase the security of communications with external parties over secure channels, be they email, text, phone or instant messaging. Unified endpoint management solutions could also improve security and help control all IT endpoints, including desktops, laptops, mobile and even IoT devises. Finally, companies of all sizes and in all sectors should regularly train their employees on cyber hygiene and cybersecurity awareness, and bring “ethical hackers” to conduct penetration testing and simulate real-world attacks.

    As Alex Manea, CSO of BlackBerry, noted: “if Game of Thrones has taught us anything, it’s that enemies will always try to find and exploit our biggest weaknesses, be they physical, mental or in this case digital. And just as in the hit HBO show, our goal isn’t to make our defenses impenetrable, it’s to make them strong enough that hackers simply move on to easier targets. In the end, enterprises and individuals who adopt this approach to risk management will have the best chance to survive the digital winter.”

    The HBO hack has shown us that there is no such a thing as perfect cybersecurity, but that are multiple proactive solutions and training opportunities that can be adopted to add layers of security and make us more difficult targets to penetrate. What the network will decide to do next to resolve the case is hard to guess. For now, at least fans seem to remain loyal to the cable network that has brought them their favorite show, which recently saw its best-ever live ratings with more than 10.2 million viewers despite the recent hacks and multimillion-dollar ransom demand. – Senior Fellow Francesca Spidalieri

  • Map of the United States with large lock in the center to represent cyber security

    As U.S. States Join Forces to Boost Cybersecurity, Federal Government Slashes U.S. Leadership in Cyberspace

    “38 Governors Sign ‘a Compact to Improve State Cybersecurity’” | Government Technology

    “Tillerson to Shut Cyber Office in State Department Reorganization” | Bloomberg

    “Top State Cyber Official to Exit, Leaving a Myriad Questions” | Politico

    Rhode Island recently hosted the National Governors Association (NGA) meeting, during which 38 state governors pledged to make cybersecurity a top priority and agreed to further develop statewide plans to enhance cybersecurity governance, prepare and defend their states from cyber incidents, and grow the nation’s cyber workforce.

    The NGA meeting, which drew high-profile speakers such as Vice President Mike Pence and Canadian Prime Minister Justin Trudeau, kicked off with a panel discussion on cybersecurity and concluded with the announcement of a “Compact to Improve State Cybersecurity.” The joint declaration emerged after a year-long initiative spearheaded by Virginia Governor Terry McAuliffe—who is also the NGA’s Chairman—called Meet the Threat, which sought to create guidelines that could be applied across states to promote cybersecurity. Governor McAuliffe had previously argued that instead of waiting for the federal government to act, states should assume a larger role in promoting cybersecurity, and suggested that his colleagues think of their IT defense as “a health issue, an educational issue, a public safety issue and an economic issue, as well as a democracy issue.” This is similar to what I have written about before—states cannot wait for the federal government to provide responses and solutions before taking action, and they must start developing comprehensive strategies to strengthen their cybersecurity posture, improve their cyber resilience, and ensure that their citizens can rely on safe and secure Internet connectivity.

    Rhode Island Governor Gina Raimondo joined 37 other governors in signing the compact and reaffirmed her commitment to combat cyber and homeland security threats. “Much of the work this compact talks about is already under way here in Rhode Island,” said Mike Steinmetz, Rhode Island’s first cybersecurity officer and principal advisor for homeland security. “It is critical that we work together with our state partners and with national resources in the intelligence, public safety and information technology communities to enhance our resiliency.”

    The governors’ agreement, which drew bipartisan support, included provisions to: boost cybersecurity employment by working with colleges to increase the number of related degree programs; place veterans into cybersecurity training programs or cyber-related jobs; encourage colleges and universities to seek the designation as NSA-DHS National Centers of Academic Excellence in Information Assurance and/or Cyber Operations; organize a framework for information sharing by partnering state homeland security and information technology representatives with critical infrastructure and key resources operators; incorporate the National Guard into states’ “cyber response plans” and work with state lawmakers to determine when the Guard should be activated in the event of a cyberattack. As evidence of its strong cybersecurity posture, Rhode Island has already begun to address all of such efforts.

    Unfortunately, the commitment by these states to work collaboratively with their local and federal partners to enhance their defenses against cyber threats was overshadowed by news that the federal government was potentially downgrading the role of U.S. leadership in cyberspace and its commitment to international cyber-related issues. Shortly after the NGA meeting, Christopher Painter—the State Department’s coordinator for cyber issues and top cyber diplomat—announced that he would leave his job at the end of the month. Painter had been leading American delegations to international cybersecurity meetings for several years, negotiating joint agreements with other countries on issues ranging from protecting critical infrastructure to developing international norms of state behavior in cyberspace. In addition, Secretary of State Rex Tillerson is considering closing the State cyber office, merging it with another office, or downgrading the cyber coordinator’s rank. As Jason Healey, visiting scholar at The Hoover Institution at Stanford University pointed out, eliminating or downgrading the State Department’s dedicated cyber mission “would mean the United States would be the only major country without a lead diplomat to discuss cyber norms and trying to reduce the ever-escalating cyberattacks we see around the world.” The U.S. was the first country to create a high-level diplomat role addressing cybersecurity issues, and dozens of other countries have since followed suit. “It is not just a shame if the U.S. were to surrender that leadership, but would mean the future internet will have more Russian and Chinese characteristics,” Healey added.

    While the cybersecurity environment continues to deteriorate with cyber threats growing in scope, volume, and sophistication, and as geopolitical tensions remain high with slow progress on the diplomatic front, it remains unclear how the Trump Administration—which has yet to fill many of the vacant roles with major cybersecurity responsibilities—plans to approach all these important cyber challenges both domestically and internationally. President Trump’s Executive Order on Cybersecurity, for example, directed government agencies to further study the problem and requested those agencies to produce several related reports in the coming months, but did not clarify how the Administration will prioritize competing interests. These reports will require agencies to dedicate limited and shrinking resources to drafting those reports, which may distract from their current cybersecurity activities and operations. Painter’s departure, moreover, will likely complicate the State Department’s task of delivering an international cyber strategy to the President by late September as part of the executive order.

    While the President began his tenure at a time of considerable cyber insecurity facing both state and federal agencies, public and private organizations—and an associated growing public awareness of these issues—he has yet to demonstrate an understanding of what is at stake and a willingness to take a leadership role in addressing these challenges. – Senior Fellow for Cyber Leadership Francesca Spidalieri

  • Clippings of computer crime headlines with computer mouse cord wrapped around a globe

    When Ransomware Becomes the Smoke Screen for Real Disruption: Picks of the Week

    “Ransomware Remixed: The Song Remains the Same” | Lawfare

    “Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons” | The New York Times

    “Global Cyber Attack Likely Cover for Malware Installation in Ukraine” | Reuters

    In the past month, malicious actors have twice used cyberweapons stolen from the National Security Agency (NSA) against countries around the world in a series of escalating cyber attacks that have targeted hospitals, banks, transportation systems, and even nuclear sites. The latest wave of attacks featured a similar hacking tool – Eternal Blue – that was used in the WannaCry attacks that crippled tens of thousands of machines worldwide in May. The outbreak was the latest and perhaps the most sophisticated in a series of attacks making use of dozens of hacking tools that were stolen from the NSA and leaked online in April by a group called the Shadow Brokers.

    As The New York Times reported, “the NSA has kept quiet, not acknowledging its role in developing the weapons [but that] the calls for the agency to address its role in the latest attacks has grown louder, as victims and technology companies cried foul.”  White House officials have also deflected questions on the issue, arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons. The growing concern is whether US intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands, and there have been numerous calls for the NSA to help halt the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.

    While the US intelligence agencies do have the largest stockpile of so-called cyberweapons that have become the weapon of choice against the Iranian nuclear program, North Korea’s missile launches, and Islamic State militants, they have also developed an interagency decision-making process to disclose known software vulnerabilities directly to vendors (like Microsoft, in the case of WannaCry). This so-called Vulnerability Equities Process (VEP), however, is not codified into law and continues to be biased in favor of intelligence and law enforcement practitioners, thus leaving products and consumers vulnerable to attacks and affecting users on a massive scale.

    Although there is evidence to suggest that North Korea was responsible for the WannaCry ransomware attacks and that the attacks this week against targets in Ukraine were the work of Russian hackers, in both cases the attackers used tools stolen from the NSA to exploit vulnerabilities in Microsoft software. Officials now fear that the potential damage from the theft of these cyberweapons could go much further, and that the NSA’s own weaponry could be used to destroy critical infrastructure in the United States or in allied nations. Indeed, attackers and cyber criminals have already retrofitted these tools to steal credentials from American companies, pilfer digital currency, disrupt services, and even destroy property.

    The latest wave of ransomware attacks are now believed to have been a smoke screen for a deeper assault aimed at destroying victims’ computers entirely or installing new malware intended for future sabotage. And while WannaCry had a kill switch that was used to contain it, the attackers that hit Ukraine this week made sure there was no such mechanism. They also ensured that their code could infect computers that had received software patches intended to protect them.

    Unfortunately, as long as software manufacturers continue to develop poorly engineered products full of flaws in their computer code, opportunities will abound to create openings for digital weapons and spy tools, and the NSA is not likely to stop hoarding software vulnerabilities any time soon. And as long as people and companies fail to properly patch their systems and adopt cybersecurity best practices, more sophisticated and damaging attacks of this kind will be likely.

  • Local executives engaged in cyber tabletop exercise

    Pell Center Hosts Cybersecurity and Healthcare Exercise Ahead of Real-Life Global Cyber Attack

    Senior leaders and security professionals from over 30 healthcare organizations in New England, as well as representatives of the R.I. Department of Health, R.I. Office of the Health Insurance Commissioner, R.I. Commerce Corporation, Newport County Chamber of Commerce, and law enforcement agencies convened at the Pell Center at Salve Regina University on May 10, 2017 to participate in a cybersecurity tabletop exercise focused on specific challenges and potential responses to growing cyber threats in the healthcare industry.

    In a ripped from the headlines twist that preceded the recent “WannaCry” attack, the exercise started with a ransomware attack and continued with a series of cyber intrusion scenarios, such as disruption of services, email spoofing, phishing attacks directed at patients, DDoS attacks, and data exfiltration created to identify weaknesses common in the healthcare industry. The scenario involved real-world cascading effects, including consequences for the provision of healthcare, outcry from patients, and media fallout for the organizations that fall victim to such attacks. The exercise was designed to show how different cyber threat vectors can infiltrate even the most sophisticated computer systems and networks, and also to explore possible remedies, mitigation techniques, and incident responses. Participants worked together on a range of timely and important cyber-related issues, including: incident response and prioritization, data leakage considerations, digital forensics investigations, crisis management, legal and regulatory compliance, and cyber liability insurance. The overall objective was to provide healthcare organizations and state agencies with greater insight into the specific cybersecurity issues they face and to explore possible responses and mitigation strategies that could lead to industry-driven solutions.

    This event, co-sponsored by SecureWorks, PreparedEx, and the Newport Country Chamber of Commerce, was part of the Pell Center’s Rhode Island Corporate Cybersecurity Initiative (RICCI), an ongoing effort aimed at bringing together senior leaders from various sectors in Rhode Island who can affect change and make the state more secure and resilient to cyber threats. Congressman Jim Langevin joined this group of senior leaders for a keynote address on the future of the healthcare law and on best practices to strengthen the cybersecurity posture of healthcare organizations.

    Stunningly, just two days after the Pell Center exercise, the world woke up to the news that “WannaCry,” a new, self-propagating ransomware allegedly stolen from the National Security Agency (NSA), was spreading across thousands of computers around the globe and affecting multiple different entities and industries. The malicious software infected more than 300,000 computers across nearly 150 countries and was dubbed the largest “ransomware” attack on record. Some of the world’s largest institutions and government agencies fell victim, including the Russian Interior Ministry, German transport giant Deutsche Bahn, French automaker Renault, US shipper FedEx, and the Spanish telecommunications firm Telefónica. Healthcare organizations were hit particularly hard given that their computers and network systems are often older, unpatched, and lack strong cybersecurity measures. The British National Health Service was one of the largest institutions affected, with ambulances and doctors’ offices impacted in 45 of its hospitals, cancellation of non-vital surgeries, and certain hospital operations shut down.

    Governments, companies, and security experts from around the world raced to contain the fallout from this audacious global cyberattack amid fears that if they did not succeed or paid the ransom demanded, data would be lost forever. While a British cybersecurity researcher inadvertently found a way to stop the ransomware from spreading after less than 48 hours, the attack was a wake-up call for many organizations in the healthcare sector and set off fears that the effects of the continuing threat will be felt for months, if not years. The following week, a new flaw was found in widely used networking software leaving tens of thousands of other computers and additional medical devices potentially vulnerable to a similar attack, and many of those computers are feared to be too old to be patched or fixed. And while the WannaCry ransomware attack was certainly not the only internationally scaled cybersecurity threat in recent years, this attack’s consequential impacts served as a stark reminder of the significant vulnerabilities at the intersection of technology and medicine, and especially of the threats the use of legacy equipment, lack of cybersecurity professionals in hospitals, and hyper-connectivity of medical devices and hospital networks pose to patient safety.

    With an eye towards mitigating similar cyberattacks and increasing preparedness and resilience to cyber risks, the Pell Center will continue its cybersecurity and healthcare event series this fall with additional seminars, panel discussions, and workshops. In light of the WannaCry attack and the Pell Center’s recent cybersecurity exercise, we also provided a series of tips and recommendations to participating organizations, including to ensure that all software and anti-virus programs are up-to-date; patch operating systems as soon as updates are available; create backups of all important files; align security controls with the risk and impact to the organization; prioritize responses and resources; educate all employees about malicious content and how to identify and avoid it; limit employee access to resources that aren’t necessary for daily workflow; and join forces with trusted third parties, internal staff, law enforcement, and security organizations. Experts from PrepareEx also stressed the importance of conducting more cross-functional crisis management exercises that include the senior leadership team from within organizations, and maintaining well-exercised and regularly updated crisis management and incident response plans.

    For more on RICCI and our upcoming events, click here.

  • Map with yellow pin stuck in Doha, Qatar

    Easy Hack May Spark Next Middle Eastern Conflict: Picks of the Week

    The Hack that Caused a Crisis in the Middle East Was Easy | Motherboard

    News Agency Hack Blamed for Diplomatic Meltdown in Qatar | CSO Online

    US Suspects Russian Hackers Planted Fake News Behind Qatar Crisis | CNN

    Will Qatar’s Diplomatic Exile Spark the Next Great War? | Foreign Policy

    A cybersecurity incident at the Qatar News Agency (QNA) may have been the cause behind the sudden diplomatic break between Qatar and multiple Gulf Cooperation Council (GCC) states, including Bahrain, United Arab Emirates (UAE), Saudi Arabia, Egypt, Libya, and Yemen.

    The Qatari government reported that hackers were able to breach their state-owned news agency as well as their Twitter account, subsequently planting a fake news item attributed to Qatar’s emir, Sheikh Tamim bin Hamad Al Thani, purportedly making controversial comments in support of Iran, Hamas, Hezbollah, and Israel, and questioning the political future of U.S. President Donald Trump. The fake news piece was immediately picked up by Saudi and Emirati media and widely broadcasted, while internet access to Qatari media was blocked so that the official denial from Qatari officials could not be read. The move laid the groundwork for the subsequent crisis. Indeed, Bahrain severed diplomatic ties with Qatar shortly after the fake news was widely spread, and within minutes of their announcement, four other GCC states followed suit and announced that land, sea, and air routes had also been cut off. Yemen, Libya, Mauritius, and the Maldives later followed suit and Qatari nationals are now being expelled from some countries in the Arab alliance. The crisis has only escalated since, and could have manifold economic and political effects for the Middle East – as well as alter the course of the region’s many conflicts.

    Qatar is working with the FBI and the British National Commission for Combating Crime (NCA) to investigate the incident, but the damage has already been done and tensions with GCC members continue to mount. Russian hackers are accused, once again, to have been the perpetrators of this latest cyber intrusion and to have planted the fake news story on the Qatar’s state news agency website that led to the split between Qatar and the other Arab nations. Motherboard has reported that the “crisis was sparked by a hack that anyone could have done […] given that the station affected had terrible [cyber]security in place.” U.S. officials have expressed increasing concerns about Russian cyber-hacking measures’ believed to have been used to interfere in the 2016 presidential election, and then used again against American allies. Similar alleged hacks and instances of dissemination of false news articles have occurred in France, Germany, and elsewhere during elections.

    To make matter worse, Qatar-based satellite news network Al Jazeera seems to be the latest victim of an ongoing cyberattack campaign. On Thursday, Al Jazeera stated on its website that its entire Qatar-based network was experiencing “systemic and continual hacking attempts” and that it had been hit by a “cyber attack on all systems, websites, and social media platforms.” The Al Jazeera hack, if related to the series of events that have cascaded in short order since the first handful of Arab countries cut off diplomatic ties with Qatar this week, could further destabilize the situation.

    Whether the alleged hackers are linked to Russian crime syndicates or government agencies, and whether the Trump Administration will be able to interject and defuse what many consider the most dangerous diplomatic crisis in the region in decades remains to be seen. What seems incredible, however, is that even with heightened awareness regarding fake news, easily-hackable social media accounts, and questionable journalism, an apparently unsophisticated cyberattack against a news agency can lead to significant diplomatic problems and potentially trigger an even larger international incident.

  • The words "cyber attack" in newspaper print

    ‘WannaCry’ Ransomware Attack was a Wake-up Call: Picks of the Week


    New WannaCry Cyber Attack Could Target Tens of Thousands of Home Computers | Newsweek

    Hacking Attack Has Security Experts Scrambling to Contain Fallout | The New York Times

    Services Interrupted as Hospitals Push Fixes to WannaCry Ransomware Exploit | Forbes

    Governments, companies, and security experts from around the world raced to contain the fallout from last week’s audacious global cyberattack amid fears that if they did not succeed, data would be lost forever unless ransom demands were met. The efforts came less than a day after malicious software (“WannaCry”) that was stolen from the National Security Agency (NSA) infected more than 300,000 computers across nearly 150 countries in one of the largest “ransomware” attacks on record. Some of the world’s largest institutions and government agencies were affected, including the Russian Interior Ministry, FedEx, German transport giant Deutsche Bahn, and the Spanish telecommunications firm Telefónica. Healthcare organizations were hit particularly hard given that their computer networks are often older, unpatched, and lack strong cybersecurity measures. The British National Health Service was one of the largest institutions affected, with ambulances and doctors’ offices impacted in 45 of its hospitals, cancellation of non-vital surgeries, and certain hospital operations shut down.

    This ransomware began with unsolicited emails, which are typically designed to trick the user into clicking a link or downloading an attachment. Once the link is clicked or the attachment opened, the ransomware leverages a known flaw in Microsoft Windows and begins to replicate itself and spread around whatever computer network that individual computer is connected to.  In addition, the ransomware forces the computer to run the malicious code that encrypts  all sorts of files – once those files are encrypted and locked-away from the user, the attacks then ask for a ransom payment (often in Bitcoin) to release the data. While a British cybersecurity researcher inadvertently found a way to stop the ransomware from spreading after less than 48 hours, the attack has set off fears that the effects of the continuing threat will be felt for months, if not years. This week, a new flaw found in widely used networking software could leave tens of thousands of other computers and additional medical devices potentially vulnerable to a similar attack, and many of those computers are feared to be too old be patched or fixed. And while the latest ransomware attack was certainly not the only internationally scaled cybersecurity threat in recent years, this attack’s consequential impacts served as a stark reminder of the significant vulnerabilities at the intersection of technology and medicine.

    With an eye towards mitigating similar cyber attacks and increasing preparedness and resilience to cyber risks, the Pell Center conducted a cybersecurity tabletop exercise just three days before the WannaCry attacks, focusing specifically on the challenges and potential responses to growing cyber threats in the healthcare sector. The exercise included a similar ransomware attack to the WannaCry one, in addition to a series of other cyber intrusion scenarios (i.e., disruption of services, email spoofing, phishing attack directed at patients, DDoS attack, data exfiltration) created to identify weaknesses common in the healthcare industry. The exercis was also designed to show how different cyber threat vectors can infiltrate even the most sophisticated computer systems and networks, and also to explore possible remedies and incident responses. The overall objective was to provide healthcare organizations and state agencies with greater insight into the specific cybersecurity issues they face and to explore possible responses and mitigation strategies that could lead to industry-driven solutions.

    Various stakeholders participated in this event, including over 60 healthcare providers, practitioners, and insurers,  as well as representatives of the RI Department of Health, RI Office of the Health Insurance Commissioner, and law enforcement agencies. The event targeted not just IT administrators and technicians, but also senior managers, security directors, CISOs, CIOs, communication, and HR personnel who all have important roles and responsibilities during a cyber incident. In light of the WannaCry attack and our cybersecurity exercise, we recommend that organizations ensure all software and anti-virus programs are up-to-date; patch operating systems as soon as updates are available; align security controls with the risk and impact to the organization; prioritize responses and resources; educate all employees about malicious content and how to identify and avoid it; limit employee access to resources that aren’t necessary for daily workflow; and join forces with trusted third parties, internal staff, law enforcement, and security organizations.

    This event was part of the Rhode Island Corporate Cybersecurity Initiative (RICCI), an ongoing effort aimed at bringing together senior leaders from various sectors in Rhode Island who can affect change and make the state more secure and resilient to cyber threats. In addition, Congressman Jim Langevin (RI-D) joined the group a keynote address on the future of the healthcare law and on best practices to strengthen the cybersecurity posture of healthcare organizations.

  • Man uses phone applications for email, shopping and other daily activities

    Cybersecurity Can No Longer Be Ignored: Picks of the Week

    Why Everything Is Hackable | The Economist

    Hey: Don’t Click That Weird Google Docs Link You Just Got (and Tell Your Mom Not to Click, Either) | New York Magazine

    Getting Beyond Norms: When Violating the Agreement Becomes Customary Practice | Centre for International Governance Innovation

    There’s a good chance you — or someone you know — received an email on Wednesday inviting you to edit a document in Google Docs. Phishing attacks and online scams are nothing new, but the massive attack on Google Docs that hit the Internet on May 3rd took phishing to a new level and spread throughout the globe in a matter of minutes. Most of the emails asking to review or open those Google Docs came from known contacts (colleagues, friends, or family members) and many of them included references to local schools, but all were addressed to a strange contact that boasted a whole string of H’s in its name (hhhhhhhhhhhhhhhh@mailinator.com). If you clicked on the link, it asked for some access permissions to your Gmail account, and then spammed everyone in your contacts with a link to a Google Docs file.

    What the phishing accomplishes in unknown, but the widespread scam made its way across the Internet incredibly quickly, and the attacker potentially had access to multiple victims’ Google accounts and contacts.

    Google promptly responded, disabled offending accounts, and put out multiple social media posts to warn users not to click on those links. While Google estimates that “fewer than 0.1 percent” (or about 1 million) of Google users were impacted and that only contact data was exposed, enough people reported receiving these invites that the hashtag #PhishingScam began trending on Twitter and email inboxes clogged with nearly as many warnings about the scam as instances of the scam itself.

    If you were on the receiving end, hopefully you did not click on the malicious link and simply deleted the malicious email. Many of the school districts affected by the phishing
    scam asked their employees to change their passwords as a preventive measure and called students and parents warning them not to open emails, change their passwords if they had opened them, and report any of those instances to Google. For those who may have been tricked by the attack and clicked on the phishing link, Google also recommends that you visit their account page at https://myaccount.google.com/secureaccount and remove any apps you don’t recognize.

    Cyber threats and phishing attacks are only increasing in scope, volume, velocity, and sophistication. Just in the last quarter of 2016, multiple Internet service providers (ISPs), businesses, and other organizations around the globe were victims of a variety of disruptive and damaging distributed denial of service (DDoS) attacks. In October 2016, a piece of malicious software called “Mirai” was used to turn thousands of insecure Internet-connected devices into remotely controlled “bots,” which were then used to flood the Domain Name System (DNS) infrastructure and Internet provider Dyn in the US, knocking off-line many of its customers, including PayPal, Twitter, Reddit, The New York Times, Spotify, Airbnb, and others. In November 2016, the Mirai software was used again in Europe, knocking nearly 1 million Deutsche Telekom customers off-line. This time, the malicious software attempted to infect routers and thus could have affected a much broader part of the Internet’s infrastructure. The Mirai attacks have highlighted various vulnerabilities and the lack of security of the “Internet of Things” (IoT) and the “smart” devices it comprises. As Melissa Hathaway, former cybersecurity adviser to U.S. Presidents George W. Bush and Barack Obama, explains in her latest piece on the breakdown of international norms of responsible state behaviors in cyberspace: “the Mirai attacks also highlight why the Internet’s security and stability is an international issue. As countries continue to embrace the economic opportunities of becoming more connected to the Internet and adopting and embedding more IoT devices in every part of life, they must also prepare for the misuse of those same ICT-based devices.”

    The fact that cybersecurity made the front page of a magazine like The Economist (usually written about making money) is a pretty big deal economically speaking and the gloomy prediction is troubling. The article, headlined “Why everything is hackable,” noted how profitable it is for malicious actors to exploit vulnerabilities and prey on people’s ignorance or ingenuity. With the availability of ransomware and exploit kits readily available on the Dark Web, initial investment is low, and the potential revenue generation is high. The article cleverly pointed out that high tech companies “value growth above almost everything else,” and there is a mentality of “Ship it on Tuesday, fix the security problems next week – maybe.” I sadly have to agree, and fear that this mentality has further disincentivized tech companies from developing well-engineered products with less vulnerabilities and increased redundancies. The Economist recognizes that these and many other cybersecurity issues are a serious problem and, while it might have been excusable to overlook these issues when the Internet was new, this is no longer acceptable or feasible in today’s highly connected world. – Senior Fellow Francesca Spidalieri

  • Man uses smartphone as home automation device

    Is your phone or smart home device spying on you? Picks of the Week

    Are your sensors spying on you? | Science Daily

    Amazon Makes the High-Performance 7-Mic Voice Processing Technology from Amazon Echo Available to Third-Party Device Makers | Amazon

    Hackable IoT washing machine provides channel for breaching hospital IT | CyberScoop

    Technology is infused in our modern life. Attempts at attaining perspective often fall to historical comparisons. Images frequently circulate of warehouse-sized computers from the 1960s which can hardly compare to the computer power, size, speed, and functionality that even a low-end smartphone possess today. Much has been written on the blistering pace this technological infusion has taken since those early images. Innovation in the technology sector barrels forward. For a short golden age, we marveled at the change, the improvements in our daily lives, and the increase in efficiency, productivity, and global reach that technology afforded us. Yet, in our haste to constantly deploy new technology, masked in a liberative utopian narrative, we may have missed a shift. A slope downward from our zenith. The host of new technology, now pervading almost every aspect of our lives, paired with our physical proximity to all those technologies and connected devices and sensors, creates a variety of privacy and security problems.

    A smartphone is a patchwork of technology. Complementing the most obvious sensors (e.g., touch screens, microphones, cameras), smartphones have also Global Position System (GPS) connections, accelerometers, gyroscopes and orientation sensors, bluetooth, light sensors, and Near Field Communication (NFC) to name just a few. Culturally, we have acclimated to living with smartphones in our hands for an average of ~9 hours a day. The constant connection and instant feedback this miniaturized computer affords us creates a bargain: we must provide our phones the information it asks for and allow it to “follow” us around. When installing any smartphone application, the app will proposition a phone for permissions, asking the phone for the ability to interface with sensors on board. Most users do not read the permissions when installing an app, and even if they did and wanted to refuse any part of it, they would not be able to install the app. Some of the sensors built in those devices do not even require permissions to access the data on the phone. While using our smartphones for simple tasks, a number of apps interface with a multitude of sensors in any given moment. Recently, researchers in the United Kingdom revealed the ease with which malicious websites, as well as installed apps and built-in sensors, can spy on us and be exploited by hackers, in one case using the orientation sensor (the sensor phones use to calculate which way it is facing) to crack the pin number of the user. Despite the variety of cyber threats these vulnerabilities expose us to from phishing attacks to identity theft, research shows that people are unaware of the risks and most of us have little idea what the majority of the 25+ different sensors available on current smartphones do.

    Our closeness with technology has expanded outward from our pockets and personal computers. The rush has served to saturate the “real world” with Internet-enabled devices. Recent events have highlighted the potential danger of our increased reliance on technology, and media reports have highlighted a series of vulnerabilities in popular consumer-oriented, Internet-connected light bulbs, DVRs, thermostats, security cameras and GPS trackers. In October, hundreds of thousands of insecure IoT devices were used to launch a large-scale distributed denial of service (DDoS) attack on the Domain Name Service host “Dyn” interrupted service for swaths of the Internet. The attack is believed to have launched from compromised “Internet of Things”(IoT) enabled devices, like DVRs, cameras, and baby monitors. Other IoT devices like Amazon’s Echo and Alexa have come under intense scrutiny over concerns of information collection and utilization. Records collected by Alexa are stored by Amazon and have often been subpoenaed by law enforcement, and Alexa records have even been sought as evidence in at least one murder case.

    The metaphor used ad nauseum of our current situation is Jeremy Bentham’s panopticon, a circular prison in which a guard can watch all prisoners but the prisoners are never sure if they are being watched. For Bentham, the possibility of always being watched would keep the prisoners behaved. In the modern world, we are always being watched but, unlike Bentham’s prisoners, we are not held in a prison cell. To keep ahead of these developments at best appears overwhelming, and at the worst sisyphean. Privacy, as we conceived by modern society, may be on the path to extinction, but as consumers we can hold on to modicums. Paying attention to the permission requests of apps on your smartphone, reading carefully the functionality of new devices purchased, checking what purchases require an Internet connection, only installing applications from approved app stores, and keeping our phone operating system and apps up-to-date can be effective steps to preserve those remaining fragments of privacy and certainly increase our security online. Encouraging awareness and piecemeal observations may seem a lackluster solution, but it requires a necessary self-reflection on the intent and purposiveness of our technology, and the nature of our increasingly connected society and ‘always on’ devices. – Francesca Spidalieri and Francis Quigley

  • Streams of binary code being transmitted from the phones and tablets of people walking to work over London Bridge

    More Women Needed to Close the Cybersecurity Workforce Gap: Picks of the Week

    The 2017 Global Information Security Workforce Study: Women in Cybersecurity | Center for Cyber Safety and Education, (ISC)2, and the Executive Women’s Forum
    No Woman’s Land: Cybersecurity Industry Suffers from Gender Imbalance, Discrimination | Law.com
    Women May be the Key to Unlocking Cybersecurity Workforce Deficit Puzzle | Bloomberg

    Information security demand is far outpacing the supply of knowledgeable and experienced cybersecurity professionals capable of addressing the numerous cyber threats that the modern world is faced with. The widening gap between the burgeoning demand for cybersecurity talent and the supply of a professional workforce has been a common theme throughout my studies in the past few years. As I wrote before, the shortage of a highly trained cybersecurity workforce can be felt across all sectors, from the federal government to Fortune 500 companies, with potentially negative consequences for national security and the global economy. Over 209,000 cybersecurity jobs are currently estimated to be vacant in the United States alone, with the number predicted to rise to 1.8 million globally by 2022.

    The tech and cybersecurity industries are among the most in-demand, profitable, and critical fields in modern history. But, although cybersecurity professionals are in great demand and can command impressive salaries, there is still a critical shortage of talent worldwide and, in particular, of women – who represent an astonishingly low number of current professionals in the field and who face a much harder path to reach the upper echelons of the corporate world.

    According to a new report, while women represent 43% of the global workforce, they only fill 11% of cybersecurity positions. The newly released Women in Cybersecurity workforce study, published by the Executive Women’s Forum on Information Security, Risk Management and Privacy (EWF), and the Center for Cyber Safety and Education, sheds light on the persistent challenges that women face when entering this growing field due to wage gaps, missed or delayed promotions, and discrimination. The study surveyed over 19,000 information security professionals from 170 nations.

    As the Lynn Terwoerds, EWF Executive Director, said in a press release: “the under-representation and under-utilization of female talent is both a critical business issue and a hindrance to the development of world-class cybersecurity organizations and resilient companies, as well as the overall safety and protection of our country.” The new report found also that women in cybersecurity earn less money than men at every level, are four times less likely to hold executive positions, and are nine times less likely to hold managerial roles, despite having higher levels of education and certification than men (half of the women surveyed held a master’s degree or higher, compared to 45% of men).

    The shortage of cybersecurity professionals, and especially women, is often exacerbated by a lack of objectivity and consistency in competency models and measurements to ensure men and women are entering and moving up in the industry equally, and by unconscious and conscious biases present all the way through the recruiting and hiring performance evaluations. These endemic aspects are compounded by a lack of clarity in job descriptions, competing professional certifications, and multiple different training and education standards, which in turn make it harder for organizations to properly identify, recruit, place, and manage the cybersecurity workforce they need.

    Solving complex problems, such as preventing, responding to, and mitigating sophisticated cyber threats, requires diverse experiences, different talents and backgrounds, and many ways of thinking. We cannot expect to close the widening gap between supply and demand of cybersecurity professionals without including more women and minorities, so diversity has to be part of the solution.

    While no single panacea exists to attract more women to this growing field and to close the workforce gap to equilibrium, organizations in both the public and private sector can start by focusing on developing programs to further educate and retain their existing workforce. This include: ensuring that all staff is regularly trained and tested so that they understand and fully appreciate their role in maintaining a strong cybersecurity posture; providing employees with opportunities to connect with mentors within and outside of the organization to help navigate some of the perceived or actual barriers and to further develop their skills; offering other incentives such as flexible work hours and paid maternity leaves; and addressing the wage disparity issues by establishing clear pay structures based on merit and movement through the profession. Leadership, sponsorship, and skill development programs can also help build the pipeline, since women who’ve completed these programs report feeling more valued in their organizations, according to the study. Other effective mechanisms that can help organizations identify, recruit, manage, and retain cybersecurity professionals, including women and minorities, include: taking a proactive role in promoting gender diversity in the cybersecurity field; looking at the universities that have higher percentages of women and minorities participating in cybersecurity or related programs and recruiting from these institutions; joining other recruiting alliances that promote workforce diversity; placing increased value on real-world experience (versus solely qualifications); and establishing an employee referral program to recruit talented and trusted cybersecurity professionals from employees’ personal networks (e.g. universities, professional associations).

    Addressing the critical pipeline issue of women in the cybersecurity workforce, however, has to start at the leadership level. Senior leaders need to commit to reversing this trend — from our universities to our board rooms — and working to create a workforce with a diversity of thoughts, genders, and backgrounds before the issue becomes irreversible. – Senior Fellow Francesca Spidalieri

Page 1 of 712345...Last »