發生什麼情況？

2017年5月12日，一種透過Microsoft系統漏洞，以比特幣勒索贖金的惡意程式。勒索病毒「Ransom.CryptXXX (WannaCry)開始廣泛傳播，影響了大量的企業用戶，特別是在歐洲。

WannaCry是什麼勒索軟體？

WannaCry用已加密數據文件，並要求用戶支付US$300贖金比特幣。贖金明確說明指出，支付金額將三天後增加一倍。如果拒絕付款，七天後加密的文件將被刪除。

发生什么情况？

2017年5月12日，一种新的已比特币赎金的方式。勒索病毒“Ransom.CryptXXX (WannaCry)开始广泛传播，影响了大量的企业用户，特别是在欧洲。

WannaCry是什么样勒索？

WannaCry用已加密数据文件，并要求用户支付$300赎金比特币。赎金明确说明指出，支付金额将三天后增加一倍。如果付款在七天后，加密的文件将被删除。

Background Image on Blogs "Quilted" Page: 

global_technology_0.jpg

The Presidential Policy Directive/PPD 21 of February 12, 2013 on Critical Infrastructure Security and Resilience identified 16 sectors as critical infrastructure, including Healthcare and Public Health. Yet, healthcare has been the only one that has not adopted a formal cybersecurity framework. With recent developments in Congress and the Department of Health and Human Services, that could change. Adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) in healthcare is becoming more of a potential reality.

The first question many healthcare organizations will likely ask is why the NIST CSF? For us at Symantec the answer is pretty straightforward: It is an excellent cybersecurity framework for organizations in any sector. We thought so much of it that we adopted it for our own company while it was still in draft form.

The NIST CSF is a voluntary framework for organizations to use that includes a common, flexible and adaptable structure that can be used by a wide-variety of organizations. The creation of the CSF was a collaborative process between government and the private sector (full disclosure: Symantec played a key role through the development of the framework).

What is it though that makes the CSF so valuable? More than anything, it provides a way for organizations to regularly evaluate their current cybersecurity risk posture and offers guidance on how to remedy those issues to a level that the system owner can accept.

The framework focuses on five core functions: Identify, Protect, Detect, Respond and Recover. All of these are crucial parts of a cybersecurity ecosystem, but they all follow the same basic premises: Cyber professionals can only protect what they know they have. Offering a way for organizations to improve visibility into their networks and identify potential blind spots, the CSF serves as a basis to build out a robust cybersecurity system to detect and mitigate the most critical threats on an ongoing basis.

The CSF can become the de-facto gold standard for healthcare organizations that want to show cybersecurity due diligence and are looking for a security framework to comply with industry requirements, like HIPAA. The federal government, for example, has already mapped FISMA Metric Reporting to the CSF and federal regulatory bodies are incorporating it into assessments. There is a reason we are seeing more and more healthcare organizations embracing this framework. It was created to provide a widely adopted and standardized approach to continually improve and assess an organization’s security posture. Over time it has provided sectors with a straight-forward way to determine risk and improve their overall cybersecurity policies, procedures and operations.

So where do healthcare organizations start with the NIST CSF? What do you monitor? And how do you define and prioritize a path forward? Symantec has built out this blog and webinar series to discuss the benefits of adopting the NIST CSF, identifying gaps in your security program based on the framework, and taking a practical approach to addressing the core functions to achieve automated risk management. 

Future blogs and webinars will dig deeper into its different functions, but to kick-off the series we wanted to take a little of the mystery out of it. Our recent webinar looked further into the CSF with an eye towards the healthcare market, providing an overarching view of what the framework included. To listen to the first webinar in the series, “Demystifying the NIST Cybersecurity Framework for Healthcare” click here.

And we hope you can join us for the June 1st webinar, Using the NIST Cybersecurity Framework to Identify Protected Health Information, as we look at the Identify function, knowing that you can’t protect what you don’t know you have, and why it must be the first step in protecting your sensitive data and patient information.

Background Image on Blogs "Quilted" Page: 

wcry.png

The WannaCry ransomware is one of the most significant and widespread cyber security attacks ever experienced. In addition to causing substantial disruption to businesses globally, it also illustrates the emerging risks that the insurance industry faces when it comes to cyber attacks.

This article provides background about the attack, which continues to unfold, and calls out implications for the insurance industry as cyber risk permeates more aspects of the global economy.

Background

On May 12, 2017 a new variant of the Ransom.CryptXXX family of ransomware began impacting a large number of organizations, particularly in Europe.

WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted. It propagates to other computers by exploiting a known SMB remote code execution vulnerability in Microsoft Windows computers. (MS17-010) The exploit, known as “Eternal Blue” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.

There are reports of infections in over 100 countries, including high profile targets and many others that remain unreported in the public domain. At least 16 National Health Service (NHS) organizations in the UK have been hit with some outpatient services being canceled; Deutsche Bahn has confirmed some passenger information displays and ticket machines were inoperative; and Spanish telecom company Telefónica confirmed the ransomware has impacted parts of its IT system.

More information about the security implications of WannaCry is available from Symantec in the article “What you need to know about the WannaCry Ransomware”. But in addition to impacting the security industry, the event has substantial implications for insurers.

What does this mean for insurers?

1. Insurance Aggregation Events are No Longer Geographically Constrained: Unlike natural catastrophes, where insurers have a geographically contained footprint, companies impacted by cyber attack cross geographic boundaries and are difficult to track. Big data analytics from major technology companies with a large install base can provide modeling for how such a risk is likely to spread. For example, in 2016 Symantec tracked 357MM new malware variants leveraging a detection network of 225MM devices in 157 countries. Ransomware is a particularly pernicious form of malware with 464K detections (up 36% in 2016). Data-driven methods will be needed to model historical events and understand what learnings they provide about the impact of cyber aggregation scenarios, like WannaCry.

2. Need to Stress Test Insurer Losses Against Cyber Aggregation Scenarios: Cyber risk is embedded into all aspects of the global economy and therefore into policies that spread far beyond standalone affirmative cyber data loss insurance. Vendors, such as Symantec, are partnering with insurers to develop and model these scenarios based on the highest frequency and severity potential aggregation events.

The spread of self-propagating mega malware taking advantage of vulnerability in a systemically important operating system (much like this month’s WannaCry attack) is a core scenario (scenario 19) in the probabilistic cyber aggregation model that Symantec Cyber Insurance is releasing this summer. Similarly, the service interruption to a major cloud service provider and an attack on a DNS provider were all scenarios envisaged by modeling firms such as Symantec and were realized in the past 12 months with the AWS S3 outage and the Mirai DDOS attack. (For more information see, “3 Reasons Why the Insurance Industry Will Never Be the Same After the Mirai DDoS Attack”).

Scenario-based approaches can never cover all eventualities but recent evidence suggests the events that most concern cyber experts are indeed the events that have transpired.

3. ‘Underwriting Due Diligence’ is a Critical First Line of Defense Against this Novel Risk: Although cyber risk is new, it is a risk that can be partially understood with specialist cyber insurance underwriters that know what questions to ask. Best in class enterprise security with multiple layers of protection is often needed for tackling advanced persistent threats seeking to infiltrate sensitive data in a targeted attack. In the case of WannaCry, with an untargeted attack, families who simply have our Norton product have protection against WannaCry. Having underwriters that understand the importance and having minimum security standards in place, like leading endpoint protection, is an important first start.

4. Security Analytics can Supplement Insurance Data Sets to Inform Underwriting Practices: The current WannaCry malware exploits a vulnerability in Microsoft that has been publicly known since March 14th 2017, when an update was made available by Microsoft. These vulnerabilities are exposed all of the time. For example, since the WannaCry announcement in the May 2017 Microsoft update alone 17 critical vulnerabilities were rated critical. Underwriters can ask their prospective insureds about patching cadence however the answer, if they get one at all, is not as simple as "we patch every X days". Insurers can supplement this data with reference tables from Symantec Cyber Insurance with benchmarks for aggregated peer comparables and refine underwriting strategy based on granular security data.

5. Discover Vulnerabilities with Automated Underwriting Intelligence: In some cases, insurers do not even need to ask questions about whether a particular technology is in place as outside-in tools from companies like Symantec can observe externally observable signals associated with IP addresses and websites owned by a company. For example, Symantec’s website security scans in 2016 found that 24% of websites had no known vulnerabilities, 67% had non-critical vulnerabilities and 9% had critical vulnerabilities. This data can rapidly prioritize which insureds a carrier will underwrite.

6. Insurers as Trusted Advisors During Major Cyber Events: With the rapid growth of cyber insurance, insurers have become a trusted source of guidance in terms of what to do when such attacks happen.  Since news broke about the WannaCry ransomware, insurers have been a key source of guidance for corporate clients about what is happening and what to do about it. When insureds are hit by ransomware, insurers can be a key source of guidance in advance of a breach and post-breach inevitably insurers have dealt with ransomware sometimes hundreds of times before and can be guides to taking the appropriate responses and bringing together the appropriate legal, communications and security teams to respond.

Symantec is working with insurance partners, including our partnership with Marsh & McLennan Companies reinsurance brokerage division Guy Carpenter, to model cyber risk with analytic software built specifically for cyber insurers. Symantec’s 23 scenario insurance cyber catastrophe model will be released in late summer 2017, however, in response to the urgent need for insurers to understand this risk, we are helping our insurance clients understand the risk of our vulnerable operating system malware scenario in advance of that release. 

Summary

WannaCry is one of the most significant malware events seen to-date but it will not be the last to pose a systemic risk to the global economy.

Understanding emerging cyber risk may seem challenging but as interconnected technologies permeate all aspects of the global economy, the problem is too important for insurers not to understand. Addressing cyber risk will require collaborations between the cyber security industry, insurers and our mutual clients.

Together, the cyber security and insurance industries can make our economy more resilient to the most important risk of the 21st century. 

Background Image on Blogs "Quilted" Page: 

WannaCry_RansomwareIncidentResponse_200X150.jpg.jpeg

On May 12th, a new ransomware worm dubbed WannaCry (detected as Ransom.Wannacry) starting spreading quickly.  It’s now been reported in more than 150 countries around the globe, affecting hundreds of thousands of machines and more than 10,000 companies. WannaCry spreads by taking advantage of a Windows vulnerability, which was patched by Microsoft in March.  

Ransomware like WannaCry forces its victims – individuals and organizations – to pay ransom through specifically noted payment methods in order to grant access to their machine, or to get their data back.

The growth of types of ransomware attacks is accelerating, as seen with WannaCry. It’s important to understand your options should you fall victim. Symantec Incident Response can help organizations with validating attacks and with making decisions on what to do next.

In this blog, you'll learn 10 ways Symantec Incident Response Services, part of our Cyber Security Services that include Managed Security Services for Monitoring, and DeepSight Intelligence services using our Symantec Security Analytics, formerly BlueCoat Security Analytics Platform, can help organizations right now, depending on their situation, that are infected with ransomware, such as WannaCry.

1. We can help identify the primary infector and contain further spread

More info: Our research and past engagements have discovered that ransomware is rarely the primary infector. Either a SPAM email with malicious hyperlink/file attachment, Drive-­‐by-­‐Downloads / Watering Hole Attacks, Malicious Downloaders / Droppers, or other malware e.g. Trojan.Zbot are responsible for an initial infection that then leads to a follow-on ransomware attack.

Using Symantec Security Analytics, formerly BlueCoat Security Analytics network forensic platform, we can analyze malicious traffic to identify additional active attacks that may be going undetected within your environment. This holistic approach to the incident ensures that we identify the primary attack vector, which is critical to understanding the attacker’s primary campaign target, and ensures that you aren’t missing the actual attack by focusing solely on the ransomware activity.

Our Incident Response Services can then take appropriate steps to engage the adversary, contain the attacks, and work to recommend ways to prevent the primary infector in the future.

2. We can provide incident-specific recommendations to prevent success of future similar attacks

The Incident Response team coordinated with Symantec Managed Security Services and DeepSight Intelligence teams throughout the engagement to provide quicker remediation. Malware Reverse Engineers wrote a decryption tool that was able to decrypt infected PDF files infected with this particular malware.

3. We can identify Patient Zero

More info: Patient Zero is the root cause of a ransomware attack. By identifying this person or system, you’re able to determine the level of administration privileges the attacker may have gained access to and better determine the trajectory of the attack after the initial compromise.Determining Patient Zero requires a broad view of the environment to reconstruct the spread of the attack. Symantec Incident Response teams have network and endpoint forensics products at their disposal, powered by the Symantec Global Intelligence Network, to quickly and accurately understand the attack’s chain of events.

4. We can determine whether the victim organization is the primary target or merely collateral damage to gauge risk of reinfection

Use case: During an incident investigation, Symantec’s investigators have access to Symantec’s Global Intelligence Network, including threat and adversary intelligence from DeepSight Managed Adversary and Threat Intelligence, and telemetry on hundreds of millions of endpoints and millions of attack sensors. With this information, Symantec Incident Response Services can determine how widespread the attack is, who the attackers are, the attackers’ level of sophistication, whether or not other variants of the attack exist, and any Indicators of Compromise (IOCs) related to them. This intelligence combined with findings from using Symantec Security Analytics, formerly BlueCoat Security Analytics platform, allows Symantec Incident Response Services investigators to develop more robust containment plans and make better remediation recommendations to prevent further attacks of the same type.

Additionally, we regularly see customers taking the approach of wiping an endpoint effected by ransomware and putting it back into circulation without a second thought. In one scenario, the attackers used wiper tools to cover their tracks after conducting a targeted, multi-stage attack across the customer environment. Had that customer not engaged us to investigate the ransomware issue, the attackers would most likely still be in their network.

This validates Symantec’s stance on advising victims not to pay the attackers for the following reasons:

WEBINAR: Don't Cry Over WannaCry Ransomware

Wannacry is big but how big is it really? It’s important to understand how this piece of ransomware is operating, what you can do to stop it and what to do if you’ve been compromised.

Join us to learn what Symantec customers and non-customers can do against this threat and future threats like it.

WATCH NOW (click here)

In my past 20 years of being an IT Information security practitioner, I’ve found there are really five key irrefutable security domains that are critical principle frameworks to protect our data, connected systems and networks.

Our talk at this year’s New York security conference to include a customer’s viewpoint will expand on these framework:

GOVERANCE FRAMEWORK                                                                                                                                                                                   Governance, Risk and Compliance is the starting point and foundation as it provides direction in addressing what’s important to a Company, State, County or Educational institution as it relates to regulatory compliance (SOX, FEPRA,PCI, HIPAA, etc.) and demonstrating compliance for data. Common vendor tools around GRC would show a dashboard of what you’re measuring against and progress against business goals along with the use of the Cyber Security Framework as your guide.

AUTHENTICATION FRAMEWORK                                                                                                                                                                             After you have your government framework in place, organizations would to have technologies to ensure these policies, it’s important to focus on your access control points.  This would include authentication as it relates to two-factor authentication, certificate management, cloud assess security broker and a SSO strategy.  Commons vendor solutions include MPKI, 2FA, SSO gateway appliances.  

INFORMATION PROTECTION FRAMEWORK                                                                                                                                                       Now that you have access control points locked down, you’ll want to prevent the exfiltration of data from the network to ensure confidentially of data and to protect against negligent employees leading data. Common vendor solutions include Data Classification, Data Loss Prevention, Encryption (whole disk, removable storage and email) and data back up and high availability solutions.

INFRASTRUCTURE MANAGEMENT                                                                                                                                                                         This framework is all about fixing software vulnerabilities and ensuring the right software is deployed to the endpoints. Common vendor solutions include systems management for patch and software delivery to include ticket management & mobile device management

INFRASTRUCTURE & CLOUD PROTECTION FRAMEWORK                                                                                                                                 This framework is the layered protection from the edge to the endpoint and include Spam, Phishing and Malware solutions to increase the work effort of a malicious person and/or process.  Common vendor solutions include endpoint AV & e-mail server protection, Cloud Security Broker and hardening solutions for sensitive systems. 

In my past 20 years of being an IT Information security practitioner, I’ve found there are really five key irrefutable security domains that are critical principle frameworks to protect our data, connected systems and networks.

Our talk at this year’s New York security conference to include a customer’s viewpoint around business process and budget to expand on the following:

GOVERANCE FRAMEWORK                                                                                                                                                                                   Governance, Risk and Compliance is the starting point and foundation as it provides direction in addressing what’s important to a Company, State, County or Educational institution as it relates to regulatory compliance (SOX, FEPRA,PCI, HIPAA, etc.) and demonstrating compliance for data. Common vendor tools around GRC would show a dashboard of what you’re measuring against and progress against business goals along with the use of the Cyber Security Framework as your guide.

AUTHENTICATION FRAMEWORK                                                                                                                                                                             After you have your government framework in place, organizations would to have technologies to ensure these policies, it’s important to focus on your access control points.  This would include authentication as it relates to two-factor authentication, certificate management, cloud assess security broker and a SSO strategy.  Commons vendor solutions include MPKI, 2FA, SSO gateway appliances.  

INFORMATION PROTECTION FRAMEWORK                                                                                                                                                       Now that you have access control points locked down, you’ll want to prevent the exfiltration of data from the network to ensure confidentially of data and to protect against negligent employees leading data. Common vendor solutions include Data Classification, Data Loss Prevention, Encryption (whole disk, removable storage and email) and data back up and high availability solutions.

INFRASTRUCTURE MANAGEMENT                                                                                                                                                                         This framework is all about fixing software vulnerabilities and ensuring the right software is deployed to the endpoints. Common vendor solutions include systems management for patch and software delivery to include ticket management & mobile device management

INFRASTRUCTURE & CLOUD PROTECTION FRAMEWORK                                                                                                                                 This framework is the layered protection from the edge to the endpoint and include Spam, Phishing and Malware solutions to increase the work effort of a malicious person and/or process.  Common vendor solutions include endpoint AV & e-mail server protection, Cloud Security Broker and hardening solutions for sensitive systems. 

In my past 20 years of being an IT Information security practitioner, I’ve found there are really five key irrefutable security domains that are critical principle frameworks to protect our data, connected systems and networks.

Our talk at this year’s New York security conference to include a customer’s viewpoint around business process and budget to expand on the following:

GOVERNANCE FRAMEWORK                                                                                                                                                                                   Governance, Risk and Compliance is the starting point and foundation as it provides direction in addressing what’s important to a Company, State, County or Educational institution as it relates to regulatory compliance (SOX, FEPRA,PCI, HIPAA, etc.) and demonstrating compliance for data. Common vendor tools around GRC would show a dashboard of what you’re measuring against and progress against business goals along with the use of the Cyber Security Framework as your guide.

AUTHENTICATION FRAMEWORK                                                                                                                                                                             After you have your government framework in place, organizations would to have technologies to ensure these policies, it’s important to focus on your access control points.  This would include authentication as it relates to two-factor authentication, certificate management, cloud assess security broker and a SSO strategy.  Commons vendor solutions include MPKI, 2FA, SSO gateway appliances.  

INFORMATION PROTECTION FRAMEWORK                                                                                                                                                       Now that you have access control points locked down, you’ll want to prevent the exfiltration of data from the network to ensure confidentially of data and to protect against negligent employees leading data. Common vendor solutions include Data Classification, Data Loss Prevention, Encryption (whole disk, removable storage and email) and data back up and high availability solutions.

INFRASTRUCTURE MANAGEMENT                                                                                                                                                                         This framework is all about fixing software vulnerabilities and ensuring the right software is deployed to the endpoints. Common vendor solutions include systems management for patch and software delivery to include ticket management & mobile device management

INFRASTRUCTURE & CLOUD PROTECTION FRAMEWORK                                                                                                                                 This framework is the layered protection from the edge to the endpoint and include Spam, Phishing and Malware solutions to increase the work effort of a malicious person and/or process.  Common vendor solutions include endpoint AV & e-mail server protection, Cloud Security Broker and hardening solutions for sensitive systems. 

Background Image on Blogs "Quilted" Page: 

wannacry.jpg

WannaCry Situation Update

On May 12, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving a variant of the ransomware named WannaCry (aka WCry). These attacks are targeting and have affected users from various countries across the globe.

Am I protected from the WannaCry ransomware?

Symantec Data Center Security: Server Advanced IPS provide protection against WannaCry Ransomware.  All three levels of Symantec DCS:SA policies Windows 6.0  Basic, Hardening and Whitelisting prevent the ransomware attack from dropping the malicious executables onto the system.  

For more information about WannaCry, go to Symantec's WannaCry Outbreak page.

What protections does Symantec provide for our endpoint customers?

There are two basic ways that customers can be protected against this threat:

1. Customers who have installed the Windows security update MS17-010 are not vulnerable to this threat.

2. DCS:SA provides a range of protection against this threat on computers that do not have the patch installed:

• IPS policies prevent the malware from being dropped or execututed on the system.
• Ability to block inbound SMB traffic
• If not using full IPS ability to apply a targeted IPS policy to block execution of the WannaCry malware

Additional Protection Details

For customer systems that are not using SMB or Windows Network File Sharing capabilities, and especially for externally facing servers, it is best practice to reduce the network attack surface by configuring  prevention policy rules to block SMB network traffic. This can be easily done by editing the Kernel and Global network rules

• From the Java Console, edit a Windows 6.0 Policy
• Click Advanced -> Sandboxes
• Under Kernel Driver Options, click Edit
• Under Network Controls
• Add the following Inbound network rules:
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
  • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any
• Add the following Outbound network rules:
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
  • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445
• Navigate back to Home in the Policy Editor
• Click Advanced -> Global Policy Options
• Under Network Controls
• Add the following Inbound network rules:
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any, Program Path: *
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any, Program Path: *
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any, Program Path: *
  • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any, Program Path: *
• Add the following Outbound network rules:
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137, Program Path: *
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138, Program Path: *
  • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139, Program Path: *
  • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445, Program Path: *
• Save the Policy

For additional protection to what is delivered out of the box, the execution of all known variants of the WannaCry ransomware can be blocked by putting the executable hashes in the Global No-run List.  To add a hash to the list:

• From the Java Console, edit a Windows 6.0 Basic or Hardened Policy
• Click Advanced -> Global Policy Options
• Under Global Policy Lists, Edit the “List of processes that services should not start [global_svc_child_norun_list]”
• Click the Add button to add a parameter list entry
• In the “Entry in parameter list” dialog
  • Enter ‘*’ for the Program Path
  • For File Hash, click the “…” button on the right hand side
  • In the File Hash Editor dialog, click Add
    • Enter either the MD5 or SHA256 hash of the file
    • Click Ok on the File Hash Editor dialog window
  • Click Ok on the Entry in parameter list window
• Add a parameter list entry for each hash value
• Save the policy

Background Image on Blogs "Quilted" Page: 

SYM_WBEL_Inside_Job_Sequel_800x450_16508_r2.jpg

This week – in conjunction with MeriTalk– we released “Inside Job: The Sequel – The 2017 Federal Insider Threat Report,” which surveyed 150 Federal IT managers to find out where agencies stand on insider threat protection.  What’s working?  What’s not?  What are the challenges and solutions?

First, the good news:  85 percent of respondents say their agency is more focused on combating insider threats today than one year ago (up from 76 percent in 2015).  In addition, most agencies are formalizing their efforts – 86 percent say they have a formal insider threat prevention program, a big jump up from just 55 percent in 2015.

But, despite these efforts, the rate of cyber incidents perpetrated by insiders isn’t really going down.  Forty two percent of agencies report incidents over the last year, compared to 45 percent in 2015.  And, almost a quarter of respondents say their agency has lost data to a cyber incident perpetrated by insiders in the past 12 months.

Why aren’t we seeing more progress?  Well, as agencies are working to address the problem, the problem is getting more complex as boundaries dissolve, and more systems and information move to the cloud.  Indeed, 59 percent of respondents say the growing number of cloud-based systems has made insider threats more difficult to detect – due to increased complexity, endpoint monitoring challenges, lack of preventative measures, and difficulty implementing and enforcing identity and access management policies.

It’s a big challenge, but agencies don’t need to reinvent the wheel.  Addressing insider threats should be a subset of their overarching cyber security program.  The NIST Cybersecurity Framework (CSF) – now mandated with last week’s signing of the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure– can help agencies identify gaps in cyber readiness that are not easily identified by their current process.  To address these gaps, agencies should look for tools that satisfy other CSF areas, apply policy universally, and support a variety of on-premises, hybrid, and cloud environments.

To learn more about our recent research, download the “Inside Job” report here.

WEBINAR: Using the NIST Cybersecurity Framework to Identify PHI

TIME: 10:00 AM (PST) / 1:00 PM (EST)

SPEAKERS: Axel Wirth, CPHIMS, CISSP, HCISPP, Technical Architect, Symantec & Vishal Gupta, VP, Engineering/Product Management, Symantec

Part 2 of 7: The NIST Cybersecurity Framework Healthcare Webinar Series



Of the 16 critical infrastructure sectors, healthcare is the only one yet to adopt a formal cybersecurity framework. That may be about to change. 



Join Symantec on June 1 for the second webinar in our series around how healthcare organizations can adopt the NIST Cybersecurity Framework (CSF). 



In this webinar – Using the NIST CSF to Identify Protected Health Information (PHI) – we will look at the Identify function, knowing that you cannot protect what you don’t know you have. 



Healthcare organizations need to identify digital systems, what data they hold, how it is used, and what value it holds before they can make the right decisions on how to protect it under their Risk Management program. 



This webinar will look at technical and administrative controls that reflect your mission and operations and why it must be the first step in protecting your sensitive data and patient information.



During this webinar we will:



-Discuss how to successfully implement an asset and risk management strategy that incorporates all of your hardware, software, and data to gain complete visibility of your organization’s assets



-Provide a practical guide for healthcare organizations to navigate through the 5 categories within the Identify function

To Register (Click Here)



On-Demand Webinar Series:



- Part 1 of 7: Demystifying NIST Cybersecurity Framework for Healthcare Series http://bit.ly/Part10209WebinarNIST

Symantec’s acquisition of LifeLock, a leading provider of identity theft protection, in early 2017, has transformed Symantec’s consumer business into the most comprehensive consumer digital safety platform to help people protect their information, identities, devices and families.LifeLock and Symantec are both committed to working in collaboration with stakeholders and nonprofits to make a positive impact and difference in the world, with online safety education being central to this. We believe in educating and empowering people so they can make informed decisions in an identity-challenged world.

Today, we highlight a recent article by Chief Justice Richard Barajas (Ret.), executive director, National Organization for Victim Assistance (NOVA). Through a multi-year partnership with NOVA, LifeLock has provided educational programs focused on assisting victims of identity theft and cybercrime. The training is open to victim advocates, allied professionals and law enforcement and helps build skills for safety planning and remediation. The partnership has reached over 2,900 victim advocates representing more than 700 agencies in 25 states.  

By: Chief Justice Richard Barajas (Ret.), executive director, National Organization for Victim Assistance (NOVA)

How a Smartphone can be a Domestic Violence Tool

Technology has changed the rules of violence. We see it in how countries approach each other on the international level. We also see it in personal relationships, where smartphones can now be a domestic violence tool.

Authorities recently arrested a Rochester, N.Y., policeman for cyberstalking his ex-girlfriend. They say the defendant targeted the victim with harassing text messages, emails, and phone calls. According to news reports, investigators also allege the officer tried to access the woman’s work email and online medical accounts.

Using technology to harm from afar
The tools of domestic violence were once limited to the physical kind—fists or weapons. They’re now often replaced by mobile devices and computers. These relatively new tools—Apple introduced the iPhone just ten years ago—allow perpetrators to not only cause irreparable harm to their victims, but to do so at a distance and, possibly, escape detection.

And with each of us doing more and more activities online, everything from banking to dating to staying in touch with friends, we run the risk of someone we trust taking advantage of us through these online accounts and channels. Overseas hackers aren’t the only perpetrators of cyberattacks. The criminal could be an estranged spouse or former friend.

LifeLock’s partnership with NOVA
Those of us at NOVA, the National Organization for Victim Assistance, who provide support to crime victims have to familiarize ourselves with these new tactics. For that, we turn to the folks at LifeLock, who gave us just such an opportunity this month. Some of the company’s cybersecurity experts provided hands-on training for a handful of us.

In the daylong session, LifeLock’s chief of identity education, Paige Hanson, and director of security communications (and “hacker for good”) Joe Gervais took us on a deep dive into the basics of identity theft and fraud. This is particularly useful information, as we work daily with people who’ve suffered from such crimes—sometimes at the hands of family or friends, but also, by unknown thieves and criminals.

The more we know, the better we can help
The more we at NOVA understand about how a particular crime is perpetrated, the better able we are to help the victims who turn to us. We can sometimes tell them how we think the crime may have occurred and how a victim can take steps to protect him- or herself going forward. It could be as simple as reminding them about the need for strong passwords on financial, email and social media accounts—and not sharing those passwords.

Access the full article here.

A recent experience provided some insight into SQL authentication.  While assisting someone who was implementing the Zero Day Patch Workflow, they kept running into issues surrounding SQL authentication.  They tried a variety of solutions.  

Ultimately, the solution was to open SQL Management Studio, and give SYSADMIN privileges to the account serving the Application Pool in IIS.  This resolved the issue for them.