Countering ransomware – it’s time to patch the human

Ransomware relies on human fallibility crypto-ransomware, malware that extorts money from victims by encrypting their files and systems until they pay a ransom, has been much in the news since WannaCry hobbled IT systems around the world last month. While much was made of the fact that WannaCry spread through networks by exploiting SMBv1 vulnerabilities in unsupported Windows systems (such as Windows XP, Windows 8 and Windows Server 2003), it is unusual for ransomware to self-replicate in the way WannaCry did.

Often, ransomware, in common with most other forms of malware, is spread by drive-by downloads or phishing campaigns, both of which exploit human error. So, even if you use robust anti-virus and anti-malware solutions, conduct regular penetration tests and ensure you keep your systems up to date and install the latest patches, your system could still be compromised thanks to a careless employee.

According to a 2016 report by SentinelOne:

  • 39% of organisations in the UK were hit by ransomware in the previous year
    • 72% of those infections were attributable to phishing
    • 38% were attributable to drive-by downloads from compromised websites

People are frequently acknowledged as the weakest link in any security system. But with better levels of staff knowledge, companies are more secure as you can, in effect, ‘patch’ your employees. Therefore, a best-practice approach to information security such as an ISO 27001 compliant ISMS (Information Security Management System), follows a holistic approach that addresses people as well as processes and technology.

Amicus ITS takes security seriously.  “We say security is part of our DNA here” advises  JP Norman, Director of Technology, Security & Governance, “and I consistently refer to the importance of “the squishy bits” (ie. the people) in IT management.  You can deploy the best systems and infrastructure money can buy –  but you have to ensure your people are trained too.”

Barcode technology putting the patient at the heart of process as its most important asset

NHS

The Department of Health has announced a pilot scheme that has just reported its first results using barcode technology.  The £12m scheme which started in 2016 has been used to track patients and improve asset management through the hospital system.

Use of barcode technology (GS1) has been common practice in most major industries and transformed the retail sector as an effective way for companies to identify and track their assets and provide an accurate digital audit trail for stock, equipment and movements between sites.  The difference for healthcare is that this ensures integrated and agnostic patient-centric care provision, focusing not on short term activity targets, but long term patient outcomes.  This was a central theme in the Department of Health’s e-Procurement strategy in April 2014 and with today’s stretched NHS, connecting patient safety, identification of a person, product, place and administrator, creates truth, greater accuracy and ultimately accountability – and comes not a moment too soon.

The barcodes are being placed on wristbands of patients on entering hospital and used variously on breast implants, replacement hips, medical and surgical tools and pharmaceuticals etc. to track treatment and staff administering the treatment.

The pilot scheme which has been running initially at Salisbury, Derby, Leeds, Cornwall, North Tees and Plymouth is reported to be showing early signs of impact, with reductions in waste, effective management of health stocks and reduced staff time trying to locate medical supplies on shift, thereby freeing them up to spend more time with patients.

By using barcodes, it will also help with remediation should any faults develop in future years.  For example, a screw used in a knee operation would be traceable and details, such as when it was used and the surgeon who carried out the procedure, could be found quickly and easily.

The Health Secretary Jeremy Hunt believes this could help save the NHS over £1bn over the next seven years.    In an example of stock recall, back in 2012, breast implants made by French firm Poly Implant Prothese (PIP) were found to have double the rupture rate, affecting roughly 300,000 women globally and 47,000 in the UK.  Had this barcode system been in place at the time, tracing those patients to make the necessary remedial checks on their wellbeing would have been simpler, potentially less costly and less stressful for those involved had early intervention been possible.

UK healthcare: cyber attack focus

NHS
More than 113 million patient records were stolen from hospitals and healthcare facilities around the globe as a result of security failures and cyber-attacks in 2015.

IBM’s Cyber Security Intelligence Index naming the healthcare industry as the number one attacked industry in 2015, it is no surprise that 41% of all security breaches reported to the UK’s information Commissioner’s Office (ICO) year were from the health sector.

These attacks have not only damaged the reputation of healthcare organisations but also their bank balances. The ICO has issued 11 fines amounting to £1.4 million between April 2010 and November 2015, with one NHS trust fined £325,000 for the use of unencrypted devices.

Notable cyber-attacks and security breaches in the healthcare industry
October 2016 North Lincolnshire and Goole NHS Foundation Trust (NLAG) had its systems infected with a virus that resulted in cancelling at least 35 patient operations, and other patients had to be relocated whilst the threat was dealt with.

In 2015
56 Dean Street, an NHS HIV, clinic released email addresses of 781 patients while sending out its monthly newsletter.   730 of these addresses contained the full names of the recipients. The breach was an internal error that the ICO rewarded with a £180,000 fine.

NHS-approved online pharmacy company, Pharmacy2U, sold details of more than 20,000 of its customers to marketing companies without their knowledge or consent. This breach resulted in the ICO fining the pharmacy £130,000.

Why is the healthcare industry under attack?

Better technology and the move to paper-free healthcare allows health professionals to look up and share life-saving information wherever and whenever it is needed. This is vital in improving patient care but it has brought the industry into the sights of cyber criminals.

Personal confidential data is valuable to those with malicious intent, meaning that health and social care systems will increasingly be at risk from external threats and potential breaches as technology becomes more prevalent. This has been emphasised by Lynne Dunbrack, research vice president for the International Data Corporation (IDC): “Frankly, health care data is really valuable from a cyber-criminal standpoint. It could be 5, 10 or even 50 times more valuable than other forms of data.”

Reviewing data security for the health and care industry has found that internal breaches are often caused by people finding workarounds to burdensome processes and outdated technology – and that those people may be unaware of their responsibilities.

How to stop these attacks

Step 1: Cyber Essentials certification

Cyber Essentials is the UK-Government-backed security scheme that sets out five security controls that could prevent around 80% of basic cyber-attacks, improving cyber security and preserving the reputation of the healthcare industry.

Cyber Essentials certification also demonstrates to patients, suppliers and third parties that data security is being taken seriously.  Amicus ITS works with CREST approved, cyber security organisations to ensure that your status has been independently verified by a third-party vulnerability scan.

Step 2: ISO 27001

ISO 27001 is the international standard that describes best practice for an Information Security Management System (ISMS). It encompasses people, processes and technology, recognising that information security within the healthcare industry is not about technology alone.

Step 3: Protect your perimeter

With threats and threat actors continuously evolving there is a real need for intelligent perimeter protection as well as innovation with password and identity management. At Amicus ITS we are happy to provide advice to help ensure your data is as secure as possible.

Amicus ITS specialist information governance and security division, provides services to support NHS and public sector organisations. Our client base is substantial and includes corporations of all sizes. We believe our success in winning and retaining clients is due to Amicus ITS’ deep and ongoing understanding of N3 compliance requirements in the UK.

Accidental data leakage would be thing of the past with BS 10010

bsi-logo-2012

Consultation opens on BS 10010 which seeks to bring government-style information classification schemes to public organisations and end inadvertent data leakage.

Classified? BS 10010 says, think before you send.
A BSI standard which promises to end inadvertent data leakage is available for public consultation. The aptly binary standard, BS 10010 “Information Classification, Marking and Handling (ICMH)”, is designed to ensure that people within organisations who are sharing information will automatically mark the data with its information classification – such as sensitive, confidential, company confidential.

If sharing information with another BS 10010 compliant organisation, the sender would be assured that the recipient would follow the same procedures for handling that information.

“It’s designed to make people think carefully about how they classify information,” said Dr Andrew Rogoyski, vice president of cyber security services at CGI UK, who initiated the development of the standard with the British Standards Institute (BSI) two years ago.

“When people start realising that the stuff they are generating – whether it’s pictures or words – has some sensitivity, they will have to think, how am I protecting it and how do I ensure that only the right people get access to it?

The BSI set up a committee to create the standard and a draft for public consultation has been published on its website. The consultation will remain open until 27 December 2016.

The standard doesn’t prescribe specific solutions, hopes are that it will prompt developers to create word processing and email software that will automatically prompt users to classify documents as they produce them. Such systems already exist as add-ons to existing software but he said they lacked coherence. BS 10010 would help standardise the implementation of the systems and ensure compatibility within organisations and between third parties.

With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, BS 10010 may have come at just the right time. National information regulators such as the UK’s ICO will be empowered to levy fines of up to four percent of an organisation’s global turnover. One estimate following the recent Tesco Bank breach put the potential cost to Tesco (as the parent company of Tesco Bank) at as much as £1.9 billion if GDPR had been in effect.

It is hoped that BS 10010 will be adopted by organisations keen to tighten up their data classification systems.

BS 10010 is open for public comment on the BSI website until 27 December 2016.

JP Norman, Director of Technology, Security & Governance, “It will be interesting to see if there is a similar drive to spread it to supplier organisations, in the same way that the ISO 9001 management systems standard spread through the business ecosystem.”

Are you ready for GDPR?

Information-Commissioners-Office

As we know, the UK voted to leave the EU on 23rd June 2016.

The UK is required to serve notice under Article 50 of the Lisbon Treaty and this carries a two year notice period.

The General Data Protection Regulation is due to be implemented in less than two years – 25th May 2018.   GDPR applies not just to organisations established within the EU but to any organisation which processes the data of EU citizens. Or an organisation which offers goods and services to EU members.  It also serves to monitor online behaviour.

Even standing outside the EU, the long arm of GDPR will apply to any UK organisation handling the data of EU citizens.  The UK will need to prove ‘adequacy’ for data protection.

Countries globally are preparing now for GPDR.

For full details of the 12 steps your organisation is guided to take to prepare for GPDR, Amicus ITS invites you to read the ICOs PDF white paper “Preparing for the General Data Protection Regulation (GDPR) attached here:  ico-preparing-for-the-gdpr-12-steps

I strongly recommend all organisations to be actively researching what they need to do to comply with GDPR, as once released it automatically becomes law in all EU Member states.

Yoo-hoo! – Yahoo finally discloses massive cyber breach

2000px-yahoo_logo-svg

 

Yahoo disclosed today that they have suffered what they believed to be a ‘state-sponsored’ cyber-attack. The attack itself dates back to 2014. Some 500 million users are believed to have had their personal details stolen in what is believed to be the biggest publicly disclosed cyber breach in history.

The US internet firm which at its height was worth $125bn during the dot.com boom, made a net loss of $4.4bn in 2015 and agreed a sale to global communications and tech giant, Verizon for $4.8bn earlier this Summer (Verizon’s rationale for purchase being the access to Yahoo’s core internet business, which has more than a billion active users a month, which would make it a global mobile media company).

So how does this breach compare with other large scale breaches made public in 2016?

• 2012 LinkedIn – 180 million accounts hacked
• 2010 MySpace – 360 million accounts hacked
• 2012 Dropbox – 68 million accounts hacked

There appears to be a trend of large data breaches announced which have taken place at least two years after the event, giving the hackers a comfortable period to make maximum use of any data they wish to target. The difference with the Yahoo breach revolves around the claims of it being ‘state sponsored’. For consumers this means that the motivations of the hackers could well be focused on specifically targeted individuals, not the wholesale public (not to say that the data isn’t sold on to the cyber underworld). This breach could be focused on particular individuals’ accounts concerning people who have been supressed in free speech in their source country. News of a mass data breach in August could be related to this, but Yahoo’s announcement is a formal acknowledgement versus previous dark net gossip. How this plays out and the degree of malice behind the event, we have yet to find out.

What should users do by way of best practice?

Whether or not someone believes their account has been compromised, it is always good to change passwords regularly and ensure they are strong and unique (an unbroken combination of U/L case characters, symbols and numbers). Multi step verification processes can further stiffen defences. Wrapping this with good antivirus and anti-malware software with security policies and procedures, will protect the majority of businesses.

However, the key factor in any security stance is education; this should be at the heart of all security themes no matter the size of the business. I recommend all Security professionals look to enhance their awareness to be able to educate end users and if you are an end user push for security education if you have not received it. Your security perimeter extends beyond you as an individual to your company and also on to your customers and suppliers.

Microsoft announces launch of new UK datacentres

microsoft-uk-data-center-provision-832x333

Microsoft have announced their launch of new data centres in London, Durham and Cardiff amid mounting commercial concerns about the growing need to ring-fence the location of where data resides in Europe.

Back in June 2015, we blogged about the EU’s frustration around multiple legislative barriers inter-country which were stifling off-premise cloud technologies due to disparate data protection laws.  The EC’s Head of Software, Services & Cloud Computing, Pearse O’Donohue spoke then of this desire to create a centralised EC Digital Single Market.  Post Brexit and with no EU exit Clause 50 triggered yet, the UK can, with this news, demonstrate it remains in demand by being able to attract such heavyweight attention and become an important datacentre hub this side of the Pond.  The news is also a flip for Microsoft as it steals a march on its main rival AWS which is due to open its UK datacentres early in 2017.

Microsoft commented: “Built on Microsoft’s Trusted Cloud principles of security, privacy, compliance, transparency and availability, this creates new opportunities for innovation, with the intent to spark local economic growth for Microsoft UK’s 25,000-plus partners and support local technology advancement”.

There will no doubt be further rationalisation and stitching of new laws around UK data, however, this news will create confidence for UK organisations and businesses in meeting regulatory obligations and as well as creating greater productivity opportunities with Microsoft’s products.   Whether this will get backed up by positive, joined-up thinking and innovation with our EU counterparts when it comes to the negotiating table is one crystal ball too far at present.  However, in this increasingly digital age for consumers and business alike, it would be of benefit to everyone that sovereignty and neighbourliness could share the stage as we seek to look after our customers and citizens.

“The investment by Microsoft shows their continued commitment to the UK Economy and may encourage a post Brexit UK Data Protection Act that is essentially a nationalisation of the General Data Protection Regulation. With significant support from the Ministry of Defence and the NHS I am certain the UK datacentres will prove very popular. With our years of proven history working in regulated sectors and our long standing relationship with Microsoft Amicus ITS is ideally placed to assist existing and new customers migrating to Microsoft CloudJP Norman, Director of Technology, Security & Governance Amicus ITS.