Defending the education of the next generation

The mission continues

It seems clear that the threat of ransomware is still high, prevalent and that criminal enterprises are having great success at delivering significant negative impact on organisations around the blog.

To this end we have seen that some of those in the Education sector are vulnerable and may not have the resources required to identify, protect, detect, respond and recover from ransomware attacks.

From my point of view this simply is not acceptable, we can not leave people at the mercy of criminal activity.

Whilst CV19 can’t save the world we can at least try to help those in greatest need.

We have a team of dedicated cyber security professionals who already invest time for the community and industry to offer support.

We conduct a range of activities in the background to help organisations from an internet facing perspective.

Having seen the comments in the chat from CYBERUK 2021 I believe we should try and do more to help the education sector and next generation.

Today I’ve committed to conducting Active Directory Assessments for organisations in the UK public education sector space as part of CV19’s activities.

Active Directory Monitoring Azure Diagram
Active Directory Monitoring Azure Diagram

This will be supported with resources from our industry supporters.

The challenge here isn’t so much technical as it is human.

We have the skills, tools and capabilities to deliver help where it’s needed.

The challenge is getting people to accept the help.

We have already had two educational organisations request support.

We’ll update with progress as we go.

We can’t save the world but we can at least try and help those who are in need!

Daniel Card (CV19 Head of Technical Operations)

Threat Intel Week 27, 2020

F5 Traffic Management User Interface (TMUI) Remote Code Execution (CVE-2020-5902) & XSS (CVE-2020-5903)

https://support.f5.com/csp/article/K52145254

https://support.f5.com/csp/article/K43638305

A critical vulnerability exists (CVE-2020-5902) that can lead to remove code execution from an unauthenticated network perspective. The vulnerability exists in the management interface, by good practise these interfaces would be on a private restricted network however we know this is not always the case as we can see from Shodan:

Image

https://www.shodan.io/search?query=http.favicon.hash%3A-335242539

This vulnerability has an active POC exploit in the wild covering path traversal to file read through to remote code execution. Examples of both the Metasploit module and public intel on HTTP requests are here:

https://github.com/rapid7/metasploit-framework/pull/13807

https://github.com/jas502n/CVE-2020-5902/

We strongly recommend management interfaces are not exposed to the internet, consider:

  • Removing the interface from the internet
  • Using IP Whitelisting to restrict traffic flows
  • Using a VPN and/or jump box solution to perform sensitive remote administration tasks
  • Restrict access using a management traffic interface/route
  • Patch the vulnerable devices

Palo Alto Networks PA-OS Authentication Bypass (CVE-2020-2021)

https://security.paloaltonetworks.com/CVE-2020-2021

When Security Assertion Mark-up Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

This vulnerability requires specific conditions to exist (which are not good practise from a Palo Alto deployment best practise point of view) so whilst this is still critical, it is wise to conduct a configuration review and take appropriate action.

Phishing

Phishing is a constant threat scenario, during the COVID pandemic we have seen lures adapted to take advantage of a range of situations, as always leveraging FUD and high-pressure scenarios such as PPE, Corona Virus testing equipment etc.

From an internet facing perspective we see the following generalisations:

  • Poor coverage of SPF, DMARC and DKIM deployment
  • Misconfiguration of mail protection records

Whilst we advocate security awareness with staff members, during a time of increased pressure it is just as (potentially more so) to leverage technical controls as well as soft controls to help combat the likelihood of a phishing incident achieving impact.

Useful Resources

Phishing and Web Content Filtering

Our friends in the CTI league and Cyber Threat Coalition both publish independent block lists which can be leverage my mail hygiene and perimeter security solutions (such as Firewall and IPS/IDS systems)

https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE

https://blocklist.cyberthreatcoalition.org/vetted/

NCSC Weekly Threat Report

This report includes links to the phishing reporting service recently stood up by NCSC:

https://www.ncsc.gov.uk/information/report-suspicious-emails

https://www.ncsc.gov.uk/report/weekly-threat-report-3rd-july-2020

Are contact-tracing apps the solution to Covid-19?

As lockdown continues and uncertainty grows around how and when we can return to normal, governments and companies believe they have found the solution in technology. Contact tracing apps are being hailed as the best solution both to tracking people diagnosed with Covid-19 and alerting others who may have been infected so they can self quarantine, allowing healthy people to move around freely and return to work. 

Governments around the globe have been rolling out these apps to varying degrees of success and compliance. From China to Iceland, citizens are being asked to download an app to their smartphone and input personal details and information about their health. The UK government recently released its app, built in collaboration with the NHS, and France is also launching a testing phase of its app, StopCovid, in the coming weeks. 

The idea behind these apps is to make contact tracing easier and faster. Mapping the spread of the infection currently involves manually tracking the number of people who could have come into contact with an infected person, so will an app make that easier?

How the apps work

In theory, yes. Downloading and registering with these apps will allow users to be informed if they have been close to someone diagnosed with Covid-19 or to inform others that they are infected with the disease.  

The app is able to do this because it is monitoring the users’ location and the location of other app users nearby.  European governments are mostly using apps with Bluetooth technology as a way to track and inform people about their risk of contracting Covid-19. On a smartphone, Bluetooth works by exchanging an anonymous signal with other smartphone users – like a kind of virtual handshake. This exchange will either be recorded anonymously on the app, or stored in a central database, during which time, if a user tests positive for Covid-19 they can update the app with their health information, and an alert is sent out to those who have been in near contact with them. But it is not as simple as it sounds. 

It’s all about reliability

For the app to work effectively a large number of users must sign up to use it. A small number of users means that it will be difficult to carry out the extensive contact tracing that is needed to contain the disease. This means governments are going to have to convince citizens that these apps are worth downloading and using. 

The fact that everyone needs to have a smartphone in order to use the app is another barrier. Not everyone can afford a smartphone or is able to use one. This risks isolating the elderly, the homeless, people living in poverty, and asylum seekers and refugees. Groups that are at high risk of catching Covid-19 due to their age or inability to self isolate. 

Experts are also concerned about the reliability of the app as a way of gathering data. The app will not be able to tell users whether the person who was infected was wearing a mask, or whether they were standing behind a window or door. This is likely to lead to people being told to self quarantine when they do not need to. Too many false alerts and they could abandon using the app. People who have Covid-19 may leave the house without their phone or leave it in their vehicle meaning that people who have come into contact with them would not be alerted to the risk of infection. 

What about privacy?

And there is also the issue of privacy. Experts are increasingly concerned about the amount of data these apps collect, where this data is stored, and who has access to it. Data, even anonymous data, relating to people’s health can be a valuable asset for businesses and governments alike. What information is collected and who can see this information will vary depending on government policy and practice as well as how the app is designed and built. 

Apps can either use a centralised database or a decentralised one. A centralised database, like the one the NHS app will use, means that data is stored on a central server and that the information can be accessed by others, both officially, by government, and unofficially, by criminals.  While a centralised database allows governments and companies access to a greater data pool, which would allow them to better understand the spread of Covid-19, this database, like all databases, is vulnerable to abuse. 

Apple and Google recently announced a partnership that would allow for a decentralised server. This would mean that anonymised contact tracing would be carried out by individual phones and not from a central server. This approach is currently being adopted by a number of governments around the world. The lack of a central server means that the authorities will not have access to user data which means that while there is less opportunity to investigate Covid-19, user information is more secure. 

Whichever method is being used to collect data, privacy experts are keen to stress that checks and balances are necessary to ensure that apps are not being used to surveil and track users long after Covid-19 is past. And none of these apps are the magic solution – we need testing, social distancing, and ultimately, a vaccine before we start to turn the tide on Covid-19.

This guest blog was kindly written by Ela Stapley

Our Vulnerability Disclosure Process

Vulnerability Disclosure

Friends, Romans, Awesome Volunteers, lend me your ears!

We constantly get approached from you beautiful people with regard to putting you directly in touch with the contacts we have at the Health Trusts and Providers.

Whilst we do not wish to offend or dampen your volunteering efforts, we must point out that unfortunately this is not something we are able to do.

This is for several reasons, but the primary one is due to GDPR and responsibility for sharing private information.

What we can do however is share the activity or information you wish to bring to the trusts via our Threat Briefings or indeed if it warrants it, with a direct outreach to specific Trusts/Providers.

We do have direct reporting capabilities for high/critical vulnerabilities, this is handled through the intel services relevant to a specific country.

We are always willing to give volunteers who assist with a shout out or indeed attribution moving forward.

Also, we are not stopping you contacting Trusts/Providers directly, but again ask that if you do, you do it in your own capacity and make it clear to the recipients that you are not acting on our behalf or with our blessing.

Please, please, please do not take this in any other way other than the team adhering to the agreements we currently have in place.

Thank you for your continued help and support during this time.

Our Phishing Awareness Campaign

Cyber Awareness

Over the last week or so, the team at Cygenta and I have been busy pulling together the first campaign for the CV19 volunteers group, which is focused on phishing awareness. This campaign will go to frontline and back office staff in healthcare organisations in the UK, Germany, France, Spain, Italy, Portugal, Russia, Poland, Greece, Sweden, Slovakia, Finland, Norway and the Netherlands. It will also be made available for use in CV19 sister groups in Australia, Brazil, the USA and Dubai.

You can see all of the resources and download them here.

Cyber criminals are seeking to exploit the COVID-19 pandemic, with many social engineering attacks using the crisis as a theme in one way or another. The UK’s National Cyber Security Centre (NCSC) has detected more UK government branded scams relating to COVID-19 than any other subject, as they outline in this pdf joint advisory with the US Department of Homeland Security. According to Google, criminals are sending 18 million COVID-19 phishing emails a day to Gmail users, with some speculating that the pandemic is the biggest phishing topic we have ever seen.

With this in mind, my team and I knew that phishing should be the focus of the first awareness campaign that we would deliver as part of our volunteer work with the CV19 group. The healthcare workers that we know have been recipients of phishing messages both at work and on their personal devices and now, more than ever, we want to help the healthcare sector be as secure as possible. 

Posters for the CV19 phishing awareness campaign

Many phishing attacks take advantage of people’s anxieties, concerns, desire to help and the special offers and support that corporations are extending to healthcare workers. Attackers do this because when a target’s judgement is clouded by emotion, they are more likely to click a link, download an attachment or transfer money without considering the fact that the communication might not be genuine. Therefore, this campaign raises awareness of these scams and the way they target our emotional responses. The aim of this campaign is to encourage people to be vigilant of communications and to take a minute to check it’s right. 

Video for the CV19 phishing awareness campaign

We have intentionally avoided heavy use of fear-based messaging, because such messaging can often be counter-productive. We want to engage and empower people, not add more fear into a climate where there is already enough anxiety. 

For this awareness campaign, we have created three posters, three flyers and a video. These are targeted at frontline and back office healthcare workers in the UK and Europe and are freely available for all to download and use.

You can see all of the resources and download them here.

Ransomware and Remote Desktop Services

A major threat to healthcare organisations

Insecure, misconfigured and under-protected remote desktop services are a major vulnerability. This attack vector is simple to find, easy to access and operate, very simple to exploit and can be the initial entry to a chain of devastating actions by a threat actor to take down your systems.

This screenshot is of a single, exposed live system that our team of volunteers has obtained (amongst a range of others) from live vulnerable systems on the internet:

You can see here that not only are we able to enumerate valid usernames, but we are also able to enumerate and identify the operating system (in this case it’s an out-of-support Windows Server 2008 R2 Standard Edition Server).

It’s important to also recognise that it’s not just RDP (Remote Desktop Protocol) services, there are a ton of systems which have remote code execution or authentication bypass vulnerabilities which will enable threat actors (cybercriminals) to potentially own your systems and data! Examples of these include vulnerabilities in systems such as PULSE VPN, CITRIX NETSCALER and RDP:

Common Ransomware Phases

Phase 1 – Recon

Threat actors identify exposed RDP services. They identify if NLA (Network Level Authentication) is disabled (if so, this provides them username enumeration to increase the likelihood of success). It should be noted that threat actors also buy and sell access credentials on marketplaces, so it some cases they skip straight to initial access.

Phase 2 – Exploitation

Threat actors obtain breached credential data and leverage this amongst other techniques (such as brute force) to attack the exposed services. These methods include:

  • Valid credentials
  • Credential stuffing
  • RDP exploits (such as Bluekeep)
  • Brute force

Phase 3 – Initial Access

Once a valid connection is made, the threat actor now has an initial foothold. From here they will attempt to do the following:

  • Harvest local access and data sources to elevate privileges (often they will run mimikatz)
    • Check web browser password caches
    • Check for clear text credentials stored in files
    • Check saved credentials in RDP sessions (Windows Credential Manager)
  • Enumerate the network using legitimate network scanning tools
  • Prepare ransomware payloads
    • Some ransomware requires communication with a command and control (C2) server; however, some ransomware such as REvil can be executed with a custom binary which does not require server communication.

Phase 4 – Lateral Movement

The threat actors will attempt to move to other nodes on your network to increase their position. In some cases, they will also establish persistence and several backdoors in case one access method is discovered and removed. You will often see them dump legitimate tools to scan networks to attempt to evade detection.

Phase 5 – Actions on Target

Once all resources have been exhausted, the threat actor will execute (run) the payloads to encrypt your data.

Phase 6 – Victim Contact and Payment

Once the servers and data have been encrypted, the ransomware operator will either wait for contact or will establish contact. This will usually be conducted using throwaway (burner) email accounts, etc. Most ransomware leaves a ransom note with details as to how to establish contact and how to arrange payment to the attacker.

Identify, Protect, Detect, Respond and Recover

There are a range of actions that can be taken to not only reduce the risk of incident occurrence but also to help mitigate the impact. The range of options are wide, so we’ve gone into the common ones:

  1. Ensure you have an ‘offline’ backup
    1. This may be in the form of a network-based backup that is NOT domain joined and is significantly isolated. Ideally, you want a copy of these backups shipped offsite as well.
  2. Ensure you have an incident response plan
    1. Ensure that it is tested (alongside restoration tests from backup services)
  3. Ensure you have NLA enabled. This will in some cases stop exploits (e.g. Bluekeep) or will significantly increase the complexity of the attack required.
  4. Use IP whitelists and/or “just in time” access
  5. Use VPNs and Secure Gateway services
  6. Ensure you have account lockout policies configured
  7. Implement proactive security monitoring
  8. Implement Multi-Factor Authentication (MFA)
  9. Use hardened configurations, jump boxes, limit standard user accounts
  10. Ensure systems are patched and maintained in line with vendor support
  11. Ensure logging configurations are set appropriately
  12. Deploy sysmon, if suitable
  13. Deploy EDR (Endpoint Detection and Response), if safe to do so

Alongside our guidance, please review the NCSC guidance on ransomware defence and response:

https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

In short, practise good systems’ management. You can harden your attack surface with some very simple changes and you can make it insanely stronger with a bit more effort!

Summary

The risks that exposed RDP services present are huge. It’s estimated that ~80-85% of ransomware incidents use this vector as an initial foothold. One of our founders (Daniel Card) has personal experience responding to ransomware and in the last ~6 months, 100% of his responses have been due to exposed RDP.

There are clearly requirements to enable remote administration, but what we are seeing is many servers being exposed with high risk configurations in the healthcare sector. It’s imperative during this time that healthcare providers and IT service providers ensure their internet-facing assets are not exposed to unnecessary risks. We hope this article is useful, but if you need further guidance or support, please get in touch.  We have a large group of volunteers who are experienced cyber security professionals and skilled in detection, protection and response services.

If you need support please visit this url : http://cyberv19.org.uk/service-request/

and one of our team will be in contact to help!

Stay safe, stay secure!

References

https://www.bleepingcomputer.com/news/security/chubb-cyber-insurer-allegedly-hit-by-maze-ransomware-attack/

https://www.coveware.com/blog/2019/1/21/covewares-2018-q4-ransomware-marketplace-report

DNS with Pi-Hole + DNSCrypt

This is a follow on post from Using a Pi-hole to fight phishing.

I already had Pi-Hole running. It’s a fantastic tool for several reasons, namely:

  • Allows you to block adverts and malware at a DNS level. This is much more effective than using ad-blockers. All devices on the network can be protected using this measure (as opposed to say just a browser on a single desktop PC).
  • Allows you to block additional sites which you want.
  • Gives you visibility to what is happening on your own network.
  • Allows you to leverage more secure DNS technologies such as DNS-over-HTTPS (DoH) for all devices.

My instance was running along with cloudflared proxy to allow for my external DNS requests to take place using DoH. However, I did have an issue where my connection seemed to drop or hang randomly. This started driving me up the wall some what. After further investigation I found the root case to be the DNS requests to Cloudflare:

So I did some digging around and came across a recommendation to use dnscrypt-proxy instead of cloudflared. After looking at it, I found this a better solution since not only does is support DoH and DNS over TLS (which cloudflared does as well), it also support DNSCrypt. So it is more versatile than cloudflared. Additionally, while I admire what Cloudflare does and provides, I would like to move aware from a single vendor for these type of things, and have something which makes it easy to switch my external DNS name resolver.

dnscrypt-proxy

Steps to install dnscrypt-proxy are pretty straight forward:

  1. Change the current directory to /opt: cd /opt
  2. Download the latest version: sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.39/dnscrypt-proxy-linux_arm64-2.0.39.tar.gz
  3. Unarchive the downloaded archive: sudo tar -xvzf ./dnscrypt-proxy-linux_arm64-2.0.39.tar.gz
  4. Remove the downloaded archive: sudo rm dnscrypt-proxy-linux_arm64-2.0.39.tar.gz
  5. Rename the unpacked directory: `sudo mv ./linux-x86_64 ./dnscrypt-proxy
  6. Change directory to dnscrypt-proxy: cd dnscrypt-proxy
  7. Create configuration from an example: sudo cp ./example-dnscrypt-proxy.toml ./dnscrypt-proxy.toml
  8. Edit the configuration:
    server_names = ['cloudflare'] # you can can change this and get a list of names from https://dnscrypt.info/public-servers
    listen_addresses = ['127.0.0.1:54']
  9. Install the dnscrypt-proxy: sudo ./dnscrypt-proxy -service install
  10. Start dnscrypt-proxy: sudo ./dnscrypt-proxy -service start

Pi-hole

Steps to install Pi-hole are pretty straight forward as well:

  1. In your home directory, clone the Pi-hole repository: git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
  2. Change directory to the install directory: cd "Pi-hole/automated install/"
  3. Run the installation script: sudo bash basic-install.sh
  4. Accept the defaults. You will have to set a name server, just choose any from the list (this will be changed later).
  5. Log into the Pi-hole Admin Web UI.
  6. Navigate to the Settings tab.
  7. Click on the DNS tab.
  8. Uncheck any Upstream DNS Servers which are selected and check Custom 1(IPv4) under and set the value to 127.0.0.1#54.
  9. Save the changes.
  10. Test your setup: dig @<pi-hole_ip> www.google.com (where <pi-hole_ip> is the IP address of your Pi-hole server).
  11. If you want to setup TLS for your admin web UI, edit the file /etc/lighttpd/external.conf:
$HTTP["host"] == "<enter-appropriate-hostname>" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "<certificate-and-private-key>"
    ssl.ca-file =  "<ca-cert>"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}
  1. Restart lighttpd: sudo systemctl restart lighttpd

This a slightly modified copy of a post which is available at: https://blog.sean-wright.com/dns-with-pi-hole-dnscrypt/

Note: The Cyber Volunteer 19 team recommend this setup for HOME use only. Hospitals and healthcare providers should use business class solutions for DNS services and protective DNS.

Using a Pi-hole to fight phishing

Introduction

Due to recent events related to COVID-19, some Health Centres in Europe have fallen  victim to ransomware attacks. The first channel to spread ransomware is often phishing, so here are some suggestions to block web surfing to phishing sites if users have clicked on any emailed phishing links.

In my personal journey of learning about this technology, I installed some time ago Pi-hole Ad Blocking on my Raspberry Pi to avoid annoying commercials when surfing the net from home. Pi-hole can have more powerful applications as well, such as adding other types of blacklists to the Pi-hole – and a phishing site blacklist could be one of them.

The chain

The chain to follow to transform your Pi-hole into a DNS that blocks phishing links is pretty easy:

  1. Download and install Pi-hole; there are many guides on the Internet, depending on where you want to install it, here’s one for Raspberry.
  2. Add the phishing list to the adlist.list of your Pi-hole installation.
  3. Update your Gravity list.
  4. Report and vote for phishing sites.
  5. Check that Pi-hole blocks the right DNS queries.

As stated, the first step is pretty simple – yet it’s off topic here (ping the author if you are in trouble with the installation), so now to discuss directly the second point.

Add phishing list

I recently found a very good project that updates a phishing blacklist every 6 hours. This list could be implemented in your own Pi-hole installation to block phishing sites. It is called Phishing Army and it updates its lists directly from 3 sources:

Add Phishing Army blacklist to your Pi-hole

To add the Phishing Army blacklist to your Pi-hole simply add the list to the list file in the path /etc/pihole/adlist.list file in your Pi-hole installation. Just connect to the Pi-hole via ssh and type this command:

# vim /etc/pihole/adlists.list

Paste the link at the bottom of your list file, write and quit.

Update your Gravity list

Now you have to update the Gravity black list by typing the command

# pihole -g

Report and vote for phishing sites

The first thing to do is to report and vote for phishing sites and the easiest way is to follow the instruction written on the amazing blog of the CyberV19 volunteers about using the voting system on Phishtank. When a Phishtank-submitted link reaches a good number of votes, it is marked as phishing. At this stage, it will then be put on the blacklist update of Phishing Army and automatically updated in the feed to your Pi-hole.

Checks

Now you can check if your Pi-hole is blocking malicious DNS requests. Search for a full or partial link in the Query Lists Search of the Pi-hole:


Try to surf to one of the links in the results and see the DNS query blocked by the Pi-hole:


Well done!

Conclusions

This is a home setup scenario. For a small company or test enterprise solutions, we would suggest installing Pi-hole in a docker container and configuring the Domain Controller to point to the Pi-hole as your primary DNS.

To reiterate, we recommend this setup for HOME use only. Hospitals and healthcare providers should use business class solutions for DNS services and protective DNS.

Thanks

Thanks to Luca Testoni for writing this blog and and contributing to CV19! This is a slightly modified version of the post on https://blackcloud.me/fight-phishing/

Helping the fight against phishing!

PhishTank is a collaborative clearing house for data and information about phishing on the Internet. We can use Phishtank to help take down and disrupt phishing operations.

We are also working on some custom tooling; however, in the meantime let’s make sure everyone knows how easy it is to help fight phishing!

Getting Started

To report and vote for sites on Phishtank, you first need to register on the Phishtank site at https://www.phishtank.com/:

Click on Register or use the following URL:

https://www.phishtank.com/register.php

Enter your details:

Click I’m not a robot and complete the captcha:

Click Verify and then Create My Account:

You will now be sent an email with a validation link:

You are now good to go! Next, we need to sign in:

Reviewing and Voting

We are now ready to report and vote for phishing sites!

Click on the submission ID you want to review.

Review the site – this one is impersonating the World Health Organization (WHO):

Click it’s a PHISH (or another option, depending upon the result of your review):

We have now voted this as a phishing site! Simples! If the site gets validated enough it will be added to block lists.

Phishtank can be used to report both URLs and phishing emails. The process is fairly simple. If you want to  check a URL, you can do this from the main page. If it is not in the database, follow the onscreen instructions and submit the phish. You can then share the URL with the group and we can help review and upvote sites once they’re submitted.

Every little bit we do to disrupt these networks helps, so get registered and make sure you remember to report and upvote!

Embedding safety culture and behaviour

In times of uncertainty we can see that demand for information security and risk management is increasing daily. How is our volatile, uncertain, complex and ambiguous (VUCA) world impacting healthcare services and companies that need to adapt to it?

The rush to use cloud services sometimes means organizations are not thinking fully about the risks. Thinking that “it’s in the cloud, therefore it’s safe” is wrong, though vendors may claim it is.

Therefore, it’s important to ensure that information risk is managed properly, and one way to do that is to embed safety culture when working with suppliers.

There is a risk to business activities if information becomes disclosed to those not authorized to see it, or if information or systems fail to be available or are corrupted.

It is therefore important that we take the appropriate security precautions to ensure that the third-party suppliers we work with have the right measures in place to protect the confidentiality of and ensure the integrity and availability of information.

Based on this Ponemon Study, more than 56% of organizations claimed that they have had data breaches in the past two years that can be linked to third parties. On top of that, 6% were unsure if they had suffered a data breach at all.

What we can do to ensure that we have effective, preventive controls in place:

  1. Assess supplier networks
    1. Consider including your expectations for security controls and periodic auditing within vendor contracts to ensure that your selected suppliers meet the same level of scrutiny as your internal enterprise. 
  2. Know your risks
    1. Identify your most valuable assets, such as intellectual property, proprietary information, and customer and employee personal data.
  3. Include third parties in your remediation plan
    1. Don’t assume that suppliers will handle everything for you.

Once we understand what assets we need to protect, it is easier to assess the risks. We must also remember to form partnerships with providers to ensure that value from services will be maximized and at the same time, both parties will be accountable for protecting critical data.

But how should we mitigate the risks, as the question is not if but when a breach will happen?

  1. Contract
    1. Security and risk mitigation requirements must be included in an organization’s contractual agreement with third-party vendor and service providers.
  2. Incident Response
    1. Does the service provider have an enhanced and up-to-date incident response plan? Does the third party test the resiliency of the plan and go through simulated tabletop exercises?
  3. Assessment
    1. Accept standardized questionnaire content based on known best practices security frameworks (i.e. ISO 27001, NIST)
  4. Penetration tests
    1. Look for vulnerabilities, such as unapplied patches and potential attack vectors, that could put your data at risk.
  5. Strong Access Controls
    1. Where possible, ensure vendors are using your systems and relevant controls to access your environment.
  6. Minimize risky providers
    1. Continuously monitor the cyber posture of the supplier and receive live alerts on any significant changes.

There’s too much at stake right now, so one of the things we can do is to raise awareness, build community and ensure that continuity of services will be maintained.

This post was authored by: Radoslaw Gnat