Month: February 2014

Report on Healthcare – Increase in Threats

~ Peggy Reetz ~ Leave a comment

Image
IoT and Healthcare

A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.”  The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.

Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised.  These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers.  The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”

Notable Devices/Applications:-

  • Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
  • Internet facing personal health data (example: web-based call center for medical supply entity);
  • Security systems and edge devices (example: enterprise network controllers).

The report details the findings of a study that reviewed the largest sources of malicious traffic.

To get a copy of the report, go to:http://norse-corp.com

Image

Target Breach Update: Warnings Ignored

~ Peggy Reetz ~ Leave a comment

targetimages

UPDATE:

Target CEO is being replaced, after a 35-year career with the company.  News like that should get the attention of corporate boards looking at overall risk profile and how meaningful a data breach is to the bottom line.  Last week, Target announced new Chief Information Officer and additional security enhancements, including the move with MasterCard to incorporate chip-and-PIN technology in its own branded credit card.

http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/

http://investors.target.com/phoenix.zhtml?c=65828&p=irol-newsArticle&ID=1925811&highlight=

http://investors.target.com/phoenix.zhtml?c=65828&p=irol-newsArticle&ID=1923423&highlight=

UPDATE: Bloomberg BusinessWeek is reporting:

“In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.”  http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data#r=hpt-tout

“For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”

 

See post below with description of the Target breach and the aftermath.

Now, it is being reported in the press that employees were aware that an analyst at the  retailer wanted to do a more thorough security review of its payment systems’ vulnerability to malware, but the request was brushed off.  This was in response to governmental/industry warnings in 2013 about the emergence of new types of malicious computer code targeting payment terminals.

http://www.usatoday.com/story/money/business/2014/02/14/target-warned-breach/5494911/

Trade group emerges:

On February 13, 2014, a new trade group headed by former governor Tim Pawlenty was announced.  The group is bringing together retail and financial services sectors.  The group’s goals include “improving card security technology and promoting the exchange of information in order to help companies ward off cyber attacks.”  The partnership was initiated by the Retail Industry Leaders Association and the Financial Services Roundtable. The American Bankers Association, the Consumer Bankers Association, Independent Community Bankers of America, The Clearing House and a number of merchant groups including the National Retail Federation are also participating.

http://www.americanbanker.com/issues/179_31/retail-banking-trade-groups-form-cybersecurity-partnership-1065605-1.html