This is the ProactiveIT Podcast. This Week: The latest in IT and Cyber Security news plus Paying Ransom Demands Doesn’t Pay, Breach Statistics for Business and Healthcare, and Preparing for the New Normal (WFH)
This is Episode 30
Hi Everyone and welcome to the Proactive IT Podcast. Each week we talk about the latest in tech and cyber news, compliance and more. We also bring you real world examples to learn from so that you can better protect your business and identity.
This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut. You can find us at nwajtech.com.
Thanks for listening to this podcast. Show us some love on Apple or Google Podcasts. Subscribe and leave us some positive feedback. What are you waiting for?
Also, go join the Get HIPAA Compliance Facebook Group. Search for Get HIPAA Compliance
Patch Tuesday Update:
Unpatched Oracle WebLogic Servers Vulnerable to CVE-2020-2883
SaltStack Patches Critical Vulnerabilities in Salt
Firefox 76 released with integrated data breach alerts
Microsoft releases May Office updates with fixes for auth issues
Instacart Patches Security Bug That Would Have Let Attackers Spoof SMS Messages
Google Releases Security Updates for Chrome
Cisco Releases Security Updates for Multiple Products
VMware Publishes Workarounds for Vulnerabilities in vRealize Operations Manager
Adobe Releases Security Updates
May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical
Chrome 83 released with massive security and privacy upgrades
Drupal Releases Security Updates
Apple Releases Security Update for Xcode
ISC Releases Security Advisory for BIND
Adobe Releases Security Updates
VMware Releases Security Update for Cloud Director
Microsoft Releases Security Advisory for Windows DNS Servers
Cyber Security News
Is the proactive IT podcast this week the latest in it in cybersecurity news. Plus paying ransom demands doesn’t pay breach statistics for business and healthcare and preparing for the new normal work from home. This is Episode 30 Hi everyone and welcome to the productive it podcast each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to you by wash tech, a client focused and security minded consultant located in Central Connecticut, you can find us at and wash tech comm that’s NW Aj tech.com. Alright, as always, thank you for joining us in this week’s episode of the productive it podcast. We have lots of stuff to share with you today updates, and HIPAA news, security news, all kinds of interesting cyber security and compliance news. But before we jump into it, I want to tell you that I am now part of the 405 D task force which is a federal task force that is that goal is to improve cybersecurity in healthcare, so be looking for more of that to share with you in the future. It’s a lot of what I’ve been sharing with the HIPAA education in the last few weeks. So I’m excited to be a part of that. And my first meeting will be in July. So look for more of that to come. We do have a number of updates to talk about. But before we jump into that, I want to again, thank you for listening. Wherever you’re listening to this, if you could like share, comment or review. We’re just trying to reach the masses so that we can share all of this relevant information with them as well. And that will better prepare business owners, healthcare providers, lawyers, financial firms, just really any business owner to be prepared for the inevitable and that is to be a victim of cyber attack. Also, if you’re in a HIPAA compliant business, if you could go to Facebook, in Facebook search, type in get HIPAA compliance and join that group. That’d be awesome too, because then you’ll learn everything that I learned, plus what I already know, plus the information that I get to share out to people and you’ll be better prepared in your healthcare practice for HIPAA compliance in cybersecurity. All right, as I mentioned, we do have a number of updates to talk about software updates. And first, we have chrome 83 one was released, with quite a few security upgrades and privacy upgrades, but also some cool feature upgrades. The security upgrades, probably the most important. So that is the reason you should update your Google Chrome ASAP. They do did redesigned DNS over HTTPS. They also included a new safety check feature in Chrome. So kind of a future kind of security, both of those, right? Easier security and privacy control. So it’s easier to manage your security now. Enhanced Safe Browsing protection. And what that means is that when you go to a website, it will show you can enable it to show the full URL, instead of just a partial URL, which could be important, especially for phishing purposes. Actually, that is a separate feature in its own so enhanced Safe Browsing is when enabled, Google will perform real time check of URLs that will visit that you visit. For known threats, so they’ve kind of already been doing that, but I guess they’ve enhanced that even more. The cool feature that’s been added to this is group tab groups, which means you can group your tabs into, you know, like if you have Facebook, Twitter and LinkedIn all open, it could be your social media tab. If you have bleeping computer and spyware open, that could be your security, your cybersecurity tabs, things like that. So you could group your tabs into how you want to tab them and have less tabs open, I guess, in a sense, a little more organized organization. So that’s pretty cool feature. And it did address 38 security vulnerabilities in total in the update, so get it updated right away. It’s real simple to update Google Chrome. So make sure you take care of that. Drupal did release a security update. You should update to anything above and beyond a point eight So there is a a vulnerability that is impacting Drupal seven 8.7 and 8.8 that could allow a remote attacker to exploit the vulnerability to take control the affected system. Apple released a security update for Xcode. Again, I think that’s the second one this month. So get that updated. ISC released a security advisory for bind bind being Berkeley internet named domain that is a protocol in Windows. So there is a security advisory for that there is not necessarily an update, but there is a workaround. So make sure you check out the the advisories on that that is available on system and it is in regards to CVE 2020 8616 and 8617 Adobe released updates for Premiere Pro audition and premiere rush. So if you use any of those project products, update them ASAP. VMware really security update for cloud director. I think that might be the second one this month as well. There is a security VMware security advisory linked to the system Bolton and that is at VMware comm slash security slash advisors slash VM sa dash 2020 dash 00 10 dot html. And finally, Microsoft did release a security advisory for Windows DNS servers. Microsoft has released a security advisory that addresses a vulnerability affecting windows DNS servers an attacker could exploit this vulnerability to cause a denial of service condition. We talked about that a little bit on the daily episode, that is the advisor is a dV 200009. So make sure you check out that advisory it is not an update it is an advisory So Microsoft is aware of a vulnerability involving packet amplification that affects windows DNS servers and attacker who successfully exploited This vulnerability could cause a DNS server service to become non responsive. And there is mitigation and workarounds for it. Now of course we are approaching the end of the month which means Patch Tuesday is already past. So we did have a number of updates to begin a month. And if you want to listen to those that would be previous episodes for the month of May I really should start a blooper reel because the number of times I have to edit these things is go back and re record it is pretty funny. So we’re gonna jump into the news now. First up on threat post paying ransomware crooks doubles cleanup costs according to a report. The report summarizes essentially the The to summarize it, it costs $730,000 on average to recover from a ransomware attack. But if you pay the ransom, that’s if you don’t pay the ransom. If you do pay the ransom, then it will cost you approximately $1.4 million on average. And that’s according to the state of ransomware 2020 report on Sophos few other interesting statistics 73 51% of those polled said they were hit with ransomware attacks in the last year. And 73% of those said data was encrypted in the attack. So just over half of the businesses polled, and that was that’s 5000. It manages across 26 countries. So that’s quite a few businesses. I think that’s a pretty good representation of the global economy. Just over half have been attacked and 73% of those have been have had files encrypted. So 27% were Able to fend off the attack 94% of organizations that experienced data encrypted got back more than twice as many 56% recovered their data caused using backups rather than paying ransom, which was 26%. So 26% of those polled that were hit with ransomware paid the ransom, which means the recovery costs are quite a bit higher. The private sector was hit harder, though ransomware attacks in the public sector, which is believed to be one of the hardest hit by these attacks are high profile. The report shows that actually, that sector is less affected by ransomware attacks than the private sector. I also believe that probably more so the private sector is under reporting. And so that might lead to even bigger numbers if if the businesses reported cloud data is vulnerable to ransomware. There is a common misconception that cloud data is not if you’re if your infrastructure is Or ransomware, that your cloud data is safe. And that is not necessarily true. It really depends on how it is set up. So don’t just rest on your laurels when it comes to cloud security. Or I’m sorry, security overall involving cloud. Cloud infrastructure as a service is what it’s called. For the most part. We have a report on NBC News This has been reported all over the place about criminal group that hacked law firm threatens to release Trump documents we reported this last week. We talked about it a few times on the daily episode as well. A law firm in New York City was hit with a ransomware attack the law firm is Grubman Shire masalas and sacks or GSM law, I believe is I believe, it’s either GSM large GSM s law. And the law firm is a law firm for and, you know, celebrities, entertainers and so forth. And so we’re talking big names like Lady Gaga, Madonna, Bruce Springsteen, a bunch of big names in us in last week we saw the file structure for what they claimed for the information that they claim to have so that we saw the hierarchy. And there were files that said Lady Gaga and Bruce Springsteen and so forth. Now, this week they claim early in the week they claim that they had, or maybe late last week, they claimed that they had information on Donald Trump, that they were going to leak unless they received a $42 million demand. They have since said that they’ve sold that information to someone else. And now they’re looking for a buyer for that information on Madonna. I, the law firm says that they did not represent Trump at any time. So it’s hard to say whether or not they have information to supposedly there was some emails released that were somehow had something to do with Trump. I have not seen the email. So I don’t know what the what the content of those emails was. Doesn’t seem like anybody really cares about About the continent owes emails at this point. So I have to believe they don’t really have anything sensitive about Donald Trump, President Trump. But they have supposedly have sold that information now. So we’ll wait to see if anything else comes with that. That is where we’re staying at this moment. The law firm has refused to pay the ransom. They obviously do have information on other celebrities. So we’ll see what happens. on security week. That’s security. week.com likely breach shuts down Arkansas unemployment program. Now there was a few of these Massachusetts had some issues and I believe maybe Arizona was another one. A state program that was created to process on employment applications or Arkansas for self employed individuals or gig economy workers appears to have been illegally accessed and has been shut down. officials announced Saturday governor Asa Hutchinson said he learned Friday evening that an applicant for the program is believed to have somehow access the system prompting an investigation of a possible data breach. probe will determine if any personal data from applicants was obtained. If any individuals had their data compromised, they will be notified and steps will be taken to address the situation, including possible credit monitoring. Hutchinson said an outside it expert was brought in to review the system. We want to make sure that the system is in good shape. before it goes back online. The governor said news of the program breach was first reported on Friday by the Arkansas times that being last Friday, about 30,000 people have applied to the program which has had other problems earlier this month that computer glitch forced some who had already applied to resubmit supporting documents. So that’s all the details that are on that compromise. have not seen any updates to that but that was reported on Monday, the 18th the attack or the compromise. I don’t know if it was unintentional attack but the compromise occurred on May 15, Friday 2020 on hope net security we have an article here that talks about how shadow IT threats are a set shadow it is a threat to businesses a security threat to businesses. And now that we’re we’re experiencing more remote workers, that threat continues to grow. So as cyber threats and remote working challenges linked to COVID-19 continue to rise IT teams are increasingly pressured to keep organizations security posture intact. When it comes to remote working one of the major one of the major issues facing enterprises shadow it so once what is shadow IT. And users are eager to adopt a newest cloud application to support the remote work or bypassing IT administrators and in doing so unknowingly opening both themselves and organizations up to new things. Right, so I’ll give you an example of what shadow IT IS. You work for a company, you want to be able to remote into your work computer from home. So you set up TeamViewer on your work computer, you set up TeamViewer on your home computer and now you’re able to log in to your computer from home and I believe there was a HIPAA breach just recently similar to that. That is shadow it is not an approved application, you’ve somehow got the ability to install applications on your work computer which should never happen you should you should not have an administration ministry or account unless you are of course an administrator. And that creates a problem because now TeamViewer, which has been using impasse in the past, to attack other other businesses other other computer users is now running on a computer all the time somebody gets access to the count very ways that can happen. Now they have access to that work computer, and now they have access to the internal network of you of the business you work for. And now they may be able to do more damage based on that, especially since you probably have administrator access to be able to install their program in the first place. So what are the risks to not having this under control? First of all, there is the increased risk of data breaches, which basically what I just said, right, so if you have a while back, we’ll call it a backdoor. It’s not really a backdoor in the sense of you’ve been compromised. But it’s a backdoor in the sense that it administration might not be aware that it exists, they should be. And it shouldn’t have never happened in the first place. But they may not be aware that it exists, and which means it’s not being monitored, which means it could be easier access, maybe you’re not using complex passwords, like you should be multi factor authentication. Now the bad guys have a way in they get in and they still doubt compliance issues and regulation issues regularly. Issue violations. So now you have you know, you have to deal with HIPAA GDPR and some places ccpa the shield law in New York, FINRA, anything with law firm Sox, even PCI DSS right now you might be violating compliance and again I think I do recall the scenario I just talked about in a healthcare environment so Miss financial goals due to unforeseen costs. According to Gartner shadow, it represents as much as 30 to 40% of total it spin which can be attributed to several factors, oftentimes users and departments by shadow solutions within a similar product category already covered by company wide enterprise agreements, doubling up on capabilities and spending budget without the IT departments knowledge. And depending on who pays the bill shadow it tends to skew reporting, decrease, decreasing efficiency due to time consuming In redundant tasks, so in the case of TeamViewer, you know, you could do it for free, but let’s say you opted for the paid version. Now you’re paying for it, but they already have software, or maybe they use remote desktop protocol. You know, whatever the case may be, now we’re adding to the costs of the IT budget. So what are the solutions to help manage shadow it? First of all, it’s not in this article, but I will say this administrator should be the only one to have access to install programs on employee computers. It shouldn’t, should not. Most employees should not have access to that. So that would alleviate a lot of the issues. But at the end of the day, you want to make sure you’re providing it teams with a SaaS s a s management solution that brings visibility into the usage renewal schedules, costs policy enforcement and security to avoid the consequences of shadow it s s is short for software as a service when option is to introduce broad sa s management and discovery capabilities to check apps using a number of discovery methods. This would provide IT departments with full picture of their si s environment including all applications and users through a single dashboard si s management will call a SAS going forward. As a SAS management solutions also have the potential to educate users on the apps available through the business, choose the best solutions and utilize those platforms to their full potential. Now you so if you’re using Google G Suite or Microsoft 365 in your environment, then you already have a lot of SAS programs that are available to you. So check those out. But there are other dashboards, other offerings out there that you may want to take advantage of. So something to think about in your environment, make sure that shadow it is not an issue. And then, you know, give the employees what they need to do their job. Especially now that work from home is becoming a more common trend after during COVID-19 and post COVID-19 sounds like Twitter did announce that work from home would be permanent for most employees and Facebook is now working on 50% work from home as well. bleeping computer revel ransomware found buyer for Trump data now targeting Madonna we just talked about this from I think I said CBS or NBC. I don’t remember who it was. But there was another article posted a few days later that I want that I shared because it was said that it was rebel which is also sold in a KB and it is GSM law, by the way. So now they are looking for a buyer for the Trump data. So the first article shared that they had information on Trump they wanted 42 million sounds like they weren’t going to get it. So now they sold the data that they allegedly have, and they’re looking for a buyer for the Madonna data. ransomware attacks impacts Texas Department of Transportation. This is also on bleeping computer. This is also the second attack on on Texas in the last week. A new ransomware attack is affecting the Texas government. This time hackers got into the network of the state’s Department of Transportation, Texas DLT. Less than a week ago on May 8, which is now little almost two weeks ago to Texas core system was the victim of this same type of attack which resulted in servers being taken offline to prevent malware from spreading to the network. In a brief announcement on social media, Texas, d o t said it detected the attack on Thursday, May 14, after finding unauthorized access to the agency’s network. further examination determined that the event was part of a ransomware incident. immediate action was taken to isolate infected computers from the network and block further unauthorized access. It is unclear how many systems are impacted or the ransomware family used by the intruder. Some operations have been affected by this incident but Texas DLT executive director James bass says that the agency is working to ensure critical operation Continuing during the interruption, agencies website forms that technical difficulties make some features unavailable and that they are working to resolve the issues promptly. As it usually happens with this type of cyber attack, the FBI was alerted and evolved a new investigation. So, Texas has now had two ransomware attacks in two weeks on their different government departments. FBI warns of pro lock ransomware decrypter not working properly. So pro lock which was formerly pawned locker, p w, and D. locker is now called prologue. prologue is another ransomware group that is now working with another malware quack something to gain so quack. I forget what it’s called. It may be hearing an article, but it is a a banking Trojan which means it’s grabbing credentials so that they have access even after the ransomware is removed crackpot that’s it QAQQ ak bought. But pro lock, the decrypter itself doesn’t work properly. So this is one of those cases where you pay the ransomware demand and you get the decryption key and it doesn’t work. And the reason it doesn’t work is files larger than 64 megabytes may become corrupted during the decryption process and integrity loss of one byte per one kilobyte is possible with files over 100 megabytes and additional work may be needed to make the decrypter work properly. So this is a case where paying the ransomware probably is going to cause more problems than than if you just restore from backups. So assuming you have backups, that is a prologue is as serious a threat as the others which is me so don’t panic. You wrote in locker Gaga, or locker goga. That is, those are now telling people that if you don’t pay the ransom, they’re going to release data that they have stolen. And I believe prologue is now doing the same thing. So paying might not help you restore, but it will certainly, hopefully help prevent a data breach from becoming public. Now, I’ll say it again. ransomware attacks should be considered data breaches. They’re not in most cases, they should be at this point. Threat post shared an article that said Bluetooth bugs allow impersonation attacks on legions of devices. So a host of unpatched security bugs that allow bi s attacks, effects Bluetooth chips from Apple, Intel, Qualcomm, Samsung and others, which is pretty much every smartphone that’s out there. academic researchers have on Covered security vulnerabilities in Bluetooth classic that allows attackers to spoof pair devices. They found that the bugs allow an attacker to insert a rogue device into an established Bluetooth pairing masquerading as a touch a trusted endpoint. This allows attackers to capture sensitive data from the other device now, I shared last week, the plan going forward for COVID-19 and contact tracing and it was going to use Bluetooth. And Apple and Google were both going to come up with a way to do this at the operating system level. And my concern was Bluetooth is always vulnerable. There’s always vulnerabilities that pop up a Bluetooth in here we go. So now what could happen the bugs allow Bluetooth impersonation attacks, which is big for short bias on everything from Internet of Things, gadgets to phones to laptops, according to researchers at the equal equal Polytechnique Federal de Lausanne EP FL in Switzerland. The flaws are not yet patched in the specification those some effective vendors may have If implemented workarounds, we conducted B is attacks on more than 28 unique Bluetooth chips by attacking 30 different devices the researcher said, at the time of writing, we were able to test chips from Cyprus, Qualcomm, apple, Intel, Samsung and CSR, all devices that we tested were vulnerable to be is attack. The issue lies in pairing bonding protocols used in the specification when two Bluetooth devices are paired for the first time they exchange a persistent encryption key, the long term key that will be will that will then be stored so that the endpoints are therefore bonded and will connect to each other without having to perform the lengthier pairing process every time. And if you’ve ever paired a Bluetooth device, you know, it’s not always fun for the attacks to be successful and attacking device would need to be within wireless range of a vulnerable Bluetooth device that was previously established bonding with a remote device with the Bluetooth address known to the attacker, which isn’t that hard because if the Bluetooth I’ve so I have Been places where somebody is trying to connect to a Bluetooth device, and it pops up on my phone, and I can choose to accept or decline and of course, I was declined. But if I accept it, I now have access to that device, potentially. So it’s really not that hard to grab the MAC address of the of another device. The post pairing connections are enabled because of devices, let’s call them Alice and Bob perform a background check to make sure both possess the long term key. This is done using the legacy secure connections or secure connections protocol. Inside the Bluetooth specification, which verify three things Alice’s Bluetooth address Bob’s Bluetooth address and a shared long term key. And then it goes on to talk about how the technical, the technical, the technical information behind the attack and what could occur. But essentially, if the attack happens, they could read all of the data on your phone. Potentially. So, remediation is forthcoming there is there has not been any updates to anything yet. And as you know, if you own an Android, you have to wait for the specific vendor of your Android device unless you have a Google phone. You have to wait for the vendor to release the update. And then with Apple that’s always update to everything when they release the update. So this was the concern that I expressed when it came to contact tracing. And here we have it. On Hacker News, UK Ukrainian police arrest, Haku tried selling billions of stolen records sold. The Ukrainian police have arrested a hacker who made headlines in January January last year by posting a massive database containing some 773 million stolen email addresses and 21 million unique plaintext passwords for sale on various underground hacking forums. And an official statement released on Tuesday the Security Service of Ukraine. SBU said it identified the hacker behind the suit them sanics who was resident of ivano? Friends victory friends frankest. I don’t know how to say that. It’s ivano iba and oh, dash f ra nk IV sk region of Ukraine, but it did not reveal his actual identity to the media in January last year, the hacker tried to sell the massive 87 gigabyte database labeled as the largest array of stolen data in history, which according to security experts, was just a fraction of the stolen data sanics collected according to authority sanics had at least six more similar databases of stolen and protect and broken passwords totaling in terabytes in size, which also included billions of phone numbers, payment card details and social security numbers. So here’s the crazy part. So he had all this information, email addresses, he wallets all kinds of stuff, pin numbers, bank card pin numbers. He was selling the databases for between 45 and 65. dollars each. That’s not a lot of money. And so when I tell you that if your data is stolen, it’s going to be in multiple hands before you know it, that is exactly going to be what happens. Search of at his residence resulted in a seizure of computer equipment with two terabytes of stolen data, phones and evidence of illegal activities of more than $10,000 in cash from illegal transactions, which was 190,000 Ukrainian heaviness, which is approximately 70 $100 and then $3,000 in US sanics is now facing Ukrainian criminal charges for unauthorized interference with computers and unauthorized sale disseminate or dissemination of information with limited access stored in computers, if found guilty could be facing up to eight years in prison. And which, I don’t know it doesn’t seem like a lot for the amount of damage you potentially have caused. But what can I say? And if you thought vigilantes were just a thing in movies, They’re not if you thought it was just all about Batman it’s not vigilante hackers target scammers with ransomware and DDoS attacks. This is on bleeping computer hacker has been talking just or taking justice into their own hands by targeting scam companies with ransomware and denial service attacks. Last week his new ransomware was discovered called milkman victory that a hacking group stated date created to attack scammers. In a conversation with bleeping computer the hacking group known as cyber where stated that they have started targeting companies performing what they call loan scams. The victims are saying that they give loan but you first have to pay and then you get nothing to hacking group told bleeping computer. The as part of their attacks the threat actors are sending phishing emails containing links to executables masquerading as PDF files. They’re also conducting denial service attacks to bring down the company’s websites. The ransomware is being distributed as its destructive wiper attack as it does offer a way to contact the attackers and does not have the encryption key. I do not ask money because scammers do not deserve money for scamming innocent people the hackers told us instead the victims are left with a ransom note stating the computer was destroyed because we know you are a scammer. So I think it does a typo there don’t have a way to contact. The hacker group claims to have targeted the German Luz union loan company, whose website is currently down with a DDoS attack and email spreading ransomware. The attacker state that this ransomware is based on hidden tier which means that even if a key is not saved, it can still be decrypted using the brute force attacks. Anyone who is encrypted by hidden tear variant may be able to recover their files for free using Michael Dilip Michael Gleb sees hidden tear decrypter so vigilantes using ransomware sounds pretty cool. Right hot topics for the week, we have a few things we’re going to discuss. The first one on Zd net home office technology will need to evolve in the new work normal. And what does that mean? So Twitter announced either earlier this week or late last week that work from home would be a permanent option for employees. Facebook announced, I believe, yesterday that they would like to have more than 50% of their work force to be worked from home by 2030. So work from home is going to become more of a reality for a lot of companies. I know that it’s not new, and it has been growing for some time. And there were some people that said it’s great and others say it’s not. I believe it is good for those that like it’s not, it’s not good for everybody. Not everybody wants to work from home. I believe those that like to work from home are more productive. They’re just not going to work. Their traditional hours if it’s possible, they’re not Going to work through the traditional hours, the nine to five to eight hours a day. They’re going to work, you know, typically I work from roughly seven in the morning, so, three to four in the afternoon, and then I go back to work around 830 at night for a few hours. So that’s, you know, that’s my typical day. I’m still monitoring throughout the day. But that’s typical. And I think that’s true for a lot of work from home people. They break their days up around different factors that impact their schedule. So the new normal for work will be more remote spirit home, office innovation wave make edge computing, more mainstream and require more automation, immersive experiences and robotics. Those are just some of the takeaways from my conversation with Dell Technologies. CTO john Royce This is written by Larry dignam dignan di gnn on ZD net and as he says, the conversation revolves around what we’ve learned so far from the great work from home experience, experiment that and where we’re going next. So the great work from home experiment, I’m assuming is linked to another article, I’m assuming he’s talking about COVID-19 which kind of forced work from home on everybody. Here are the two key takeaways in in there is a video included if you want to go over to Xena and and watch the video. Of course the link will be in the show notes. Culture and home Environment Matters. Not surprisingly, Dell didn’t have a hard time moving more than 100,000 people to work from home arrangements. After all, Dell says wise thin clients laptops and virtual desktop platforms. Roy said when you move everyone then you start to discover some of the things you didn’t know about. We clearly understood that people weren’t would work from home. So we had the proper equipment, the proper VPN access to proper network capacity, VDI, all those things. But we started to realize that maybe we didn’t have the right environment at home. Maybe we didn’t have the right culture and a sense of people We’re getting overwhelmed but we would call zoom fatigue and other new normal scenarios. So those are good points. So first of all I want to say VPN access is critical. If you’re going to use remote desktop, it is even more critical. vd eyes, which is virtual desktops. Also a good viable option if sending them home with a laptop is not a good option. And they’re going to use their own device then VDI is another option. You can lock that down much better than you can lock down a person’s personal laptop. Zoom fatigue is becoming a real problem for some people. I think to some extent, I feel it because I’m I do hop in and auto zoom meetings probably at least two or three times a day. And then on top of that, I’m getting my kids in and out of zoom meetings right now because of the school from home. The the there are they do make something called Blue. I think they’re called Blue glasses that was supposed to help us zoom to zoom fatigue. But so there’s that. And it’s not. It’s called zoom fatigue. It’s not just zoom, it’s teams. It’s Google, it’s Facebook, it’s all of those things. This idea that part of what we do will be virtual, and part of what we do will be physical. But more importantly, those two worlds are going to intersect, we’re going to run into each other. And so some examples of that are, for instance, in our client businesses. We’ve already seen this, we have material scientists, we have mechanical engineers, we have people that actually have to work on a physical device in a lab somewhere, they can’t do that work from home exclusively. So initially, we set up programs to allow scheduling of lab space and sanitation of labs to develop a lab environment. And to get through that, but as we look forward, what we’re going to see is the environments are either going to become more automated with robotics. So that person can actually do mechanical work from somewhere else. or more importantly, maybe one person is in the lab but other person. Other people now have better visual representations better immersive technology, so they can be part of that. experience. So sort of a hybrid model, which we’ve also discussed today, whether it’s education or healthcare or any other industry, virtual and physical experiences will evolve and meld together, the definition of working from home will change. And I agree with that as well, our assumptions around that about what it meant to work from home were wrong collectively. We had we had this idea that work from home was about work life balance, you were working, or you were doing home stuff. That was what worked from home had to deal with. And what we almost immediately discovered was it wasn’t that simple. In fact, there were at least four different contexts that people had to live in or experience sitting at their desk at home at any given time over the course of a day. an immersive work experience such as zoom call, or interacting with people, a non immersive work experience, where you have different deliverables, a personal it experience, such as answering email and paying bills, and entertainment experience. The funny thing is, all of that had to happen in the same space. And so we discovered that the monitors weren’t configured properly. was hard to context switch between them. We didn’t have enough bandwidth. In some cases the devices people had in their houses weren’t powerful enough to do all these tasks and voice. technology will have to nor context to home technology experience will have to adapt to our various modes and have the capacity to manage to compute requirements. There is a very large innovation cycle coming to really make the work world at home adaptable to all of these contexts. As we look forward, edge computing we will will come to the home. As remote work evolves more to include augmented and virtual reality as well as video conferencing and data intensive applications IT infrastructure at home will change. Roy said that edge computing devices may be deployed in homes by enterprises to beef up home infrastructure. Early when we were talking about edge It was about all smart factories, in smart cities and smart hospitals. But there’s another class of edge compute that’s really interesting and This new world said Royce, and there’s their that is to augment the compute capacity of the devices that attach to that edge. AR VR and applications that need horsepower would use these edge compute devices and laggards will invest heavily now, digital transformation, laggards will invest heavily now. So what does that mean? So basically, we’re going to have some new devices. And they didn’t really talk about security in here that will also play a big role in this because typically the home user has a home router. And that’s the extent of their security. They may have a you know, maybe an ABG or an Avast or some other relatively cheap malware protection. Things like that. And then so that’s, that could create a problem. There, they’re also probably less likely to be security focused at home. So that’s going to create a bit of a struggle for for us It teams around the world. those are those are concerns on the digital transformation. laggards will invest heavily now, do we have some some companies learned really quickly that they’re going to have to invest in work from home. And they saw that over the last few months. And they saw the struggles and I saw it across different industries. Personally, we handled, you know, everything from healthcare to law firms to even a municipality. So, it is it is something that that should have been addressed a while ago. You know, this, the ability to work from home has been fairly easy now for probably close to 10 years. And it’s gotten easier over the last few years, especially with the with the explosion of zoom and other collaboration platforms, slack and teams. So now that it’s easier than ever, those that didn’t invest in that are going to invest in that and probably more than ever before. Alright, so we have a couple of reports to go over. We have one from Verizon Verizon data breach report. DDoS skyrockets, that’s denial service and espionage tips. So you may or may not be aware of Verizon issues an annual report. That is called the data breach investigations report DBI RS for short. They released it. This Week in denial service attacks have spiked over the past year while cyber espionage campaigns have spiraled downwards. That’s according to Verizon 2020 data breach investigations report released Tuesday, so that was Tuesday, May 19. And so they analyze 32,002 security incidents and 3950 data breaches across 16 industry verticals. Notably this year’s DDoS attacks increased in number by 13,000 incidents and we’re also seen as a bigger part of cyber criminals tool boxes DDoS attacks made up 40% of security incidents reported beating else to cry beating out crimeware. In web applications while DDoS attacks use different tactics, they most commonly involve sending junk network traffic to overwhelm and crash networks systems. It doesn’t help that cyber criminals have created new and dangerous botnets to launch DDoS attacks like Kashi and Mariah variance over the last over the past few years. While the amount of this traffic is increasing, as mentioned in DDoS, which we don’t just look at the number of attacks that are conducted, said researchers, we also look at the bits per second, which tells us the size of the attack and the attacks and the packets per second, which tells us the thruway of the attack, in other words, how much traffic is coming through. What we find is that regardless of the service used to send the tax, the packet to bit ratio stays within a relatively tight band and PPS hasn’t changed that much over time, sitting at 570 megabits per second for the most common mode. Cyber cyber espionage attacks, meanwhile, have seen a diurnal downward spiral dropping from making up 13.5% of breaches in 2018 to a mere 3.2% of data breaches in 2019. That may come as a surprise given that espionage campaigns were actually on the rise in 2019. Verizon DVR, in addition, a slew of cyber espionage campaigns such as ones targeting the who, that’s the World Health Organization, several governments in Asia Pacific region and more were on earth over the past year, but researchers say underreporting which we talked about earlier, some some of the private sector anyway might be under reporting may be a factor in the duping statistics, drop and wrong numbers could be due to either under reporting or failure to detect these attacks. But the increase in volume of this other patterns is very much responsible for the reduction in percentage said researcher So in other words, if last year you had 100 cyber attacks and you 15 of those were cyber espionage and 10 of them were DDoS then your number of cyber espionage looks bigger than DDoS. But this year, there’s 50 DDoS. And still 15 cyber espionage hasn’t changed, but this percentage goes down. In fact, financially motivated breaches continue to not only be more common than espionage campaigns, but a wide margin by a wide margin making up 86% of all breaches but also increasing over the past year, they said, financial origins financial, motivated breaches that really shouldn’t come as a surprise the amount of ransom to dollar amount for ransom demands has continued to rise year over year, month over month and it’s going to continue to rise because people keep paying when it comes to data breaches almost half 45% stemmed from actual hacks while 22% use social attacks that social engineering, and we’ve talked about social engineering extensively. 22% breaches involve malware and 17% were created by errors and 8% of breaches stem from misuse of authorized users by authorized users. In fact, internal actors were only around 30% of the breaches with the majority 70% actually coming from external actors, while researchers said that incidents stemming from inside actors have grown over the past few years, that’s likely due to increased reporting of internal errors rather than evidence of actual malice from these actors. External attackers are considerably more common in our data than are our internal act attackers and always have been said researchers This is actually an intuitive finding as regardless of how many people there may be in a given organization. There are always more people outside. Nevertheless, it is widely held opinion that insiders the biggest threat to an organization security but one that we believe to be erroneous. malware has been on a country consistent and steady decline as a percentage of breaches over the last five years, researchers said due in part to the increasing level of access by cyber criminals to credentials. So in other words, it’s easier to get credentials, so why bother with malware? We think that the other attack types, such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence, said researchers now some attackers add to both they steal their credentials, just steal the data, and it will add malware because they may want to come back later. According to accordingly, the top malware varieties and data breaches was taught by password dumpers which are used to collect credentials, followed by Capture App Data and ransomware ransomware attacks continue to grow over the past year and have created high profile clients and headaches for companies such as Norsk hydro ransomware is the third most common malware breach, variety and second most common malware incident variety party If this continued growth can be explained by the ease with which attacks can kick off a ransomware attack. Researchers researchers stress in 7% of the ransomware threads found in criminal forms and marketplaces service was mentioned, suggesting that attackers don’t even need to be able to do the work themselves, said researchers they can simply rent a service kickback, watch, eat, watch cat videos and wait for the loot to roll in. So in other words, I could pay someone to run a ransomware attack for me and not have to worry about all the all the technical details. The Verizon DVR also poked down data breaches by vertical to show that cyber criminals are drastically changing how they are targeting industries for instance, point of sale related attacks once dominated breaches in accommodation and food services industry However, they have been replaced by malware attacks and web application attacks is instead responsibilities spread relatively evenly among several different action types such as malware error. And hacking via stolen credential said researchers. Financially motivated attackers continued to target this industry for the payment card data it holds. The educational services industry saw phishing attacks trigger 28% of breaches and 23% of breaches stem from hacking via stolen credentials. ransomware is a top threat for education space, with ransomware accounting for approximately 80% of malware infections. In the incident data ransomware attacks triggered by financial motivations also plagued the healthcare industry. Other top security issues leading to breaches include lost and stolen assets basic human error, however, privileged misuse, which has topped data breach causes for healthcare in the past, for the first time this year wasn’t an issue in the top three in the 2019. Report, privileged misuse at 23% of attacks, while 2020 has dropped to just 8.7%. So that’s good news and healthcare. I will say this the sectors, the verticals that saw the most activity, education, finance, healthcare information, manufacturing professional public. Well, those aren’t really verticals but yeah. I think that’s it. So those are the so you have you have Let’s do that again. So there’s healthcare. He has healthcare, information, finance, education, manufacturing. Those are the verticals that seem to have the most activities. All right. And then we also have the April health, April 2020, healthcare data breach report. There were 37 incidents, healthcare data breaches of 500 or more records again, pretty much on pace for the last six months. You know, going back all the way back to November was 36 December 41 January 33. February 39, March 36th and April 37th. So that is pretty much on par with what it’s been. What is down is the number of healthcare records that were breached for April 442,943. So just shy of 443,000 versus march was 129,000. And February was 1.5 million. So we’re back to January levels, which was 463,000, roughly. So that is good news. The 10 largest breaches most of them were relatively small compared to previous months. All were health care providers with the exception of beacon Health Options Inc, which was number 10. On the list that was a business associate that had 6723 and that was lost other portable electronic device, which means those were not encrypted. And I’m not sure I have to double check but I believe that was the one in Texas where hard drives went missing. So the the top nine Beaumont health 112,000 email meridian health services Corp 111,000 email Arizona endocrinology center 74,000 electronic medical record advocate Aurora health 27,000 email network server, doctors community Medical Center 18,000 email injures braces 16,000 network server Andrews braces By the way, so that is a dentist provider. A dental provider 16,622 individuals were impacted and it was a network server UPMC Altoona Regional Health Services almost 14,000 email, Colorado Department of Human Services Office of Behavioral Health 8000 network server and agility center orthopedics 7000 email, causes of April 2020 healthcare data breaches hacking our it incident 18 unauthorized access disclosure 16 theft two loss one so those bottom two theft two and last one, not a lot. And by the way, it was Are those are mitigated by encrypting your devices. So if you had to encrypted those devices then those three aren’t even reported location or the breached pH I pH I again being protected health information location is other two other portable electronic devices three paper and film eight the fact that eight of the breaches for April were still paper and film is, is I don’t know it just seems a little crazy to me. Email 18 44% of all breaches for April. Again, email in this just tells me yet again, we’re still not taking the precautions to make sure that PHP is not an email, and that we’re not locking down those email accounts and we’re not training our employees on phishing, network server five laptop three electronic medical records to now we’ll laptops, three and other portable electronic devices also threats. So that’s six. Those two, six of those are mitigated with encryption, electronic medical records, if you have multi factor authentication turned on, maybe that doesn’t happen. So that’s eight right there eliminated. And then finally, what data breaches by covered entity type so you have three or business associates to forward health plans in 30 of them were healthcare providers. So healthcare providers are, are appear to be dropping the ball in April. It’s going to be different. Um, you know, we we’ve only had one one financial penalty imposed so far this year, and I believe that was in January. So COVID-19 has definitely taken away from from the enforcement activity for the year so far. Now that we’re starting to reopen. Perhaps we’ll See more enforcement. I don’t know what will happen yet. But remember one of those breaches was in Connecticut. We are based in Connecticut. One of those breaches did occur in Connecticut in April. I think it was April that it happened. So that’s it for the HIPAA data breach report for April. We’re gonna move on to our HIPAA education. All right, we’re going to continue on with our 405 D Task Force best practices cybersecurity practices for small healthcare organizations. This being the taskforce that is trying to improve the cybersecurity posture for healthcare organizations around the world and we are on practice number six network management. So computers communicate with other computers through networks. These networks are connected wirelessly or via wired can actions like network cables and networks must be established before systems can interoperate networks that are established in a secure insecure manner sorry increase an organization’s exposure to cyber attack. Proper cybersecurity hygiene ensures that networks are secure and that all network devices access networks safely and securely. Even if network management is provided by a third party IT support vendor the organization must be must understand key aspects of the proper network management and ensure that they are included in contracts for these services. Well, so these are smaller healthcare practices. So that would mean that more than likely to have do have outside it vendor third party it vendor. This is probably going to change now with the work from home push that we’re going to see in the coming months and years because of COVID-19 and COVID-19. The first part of this is network segmentation. And remember, this is all based on the NIST cybersecurity framework right? So we get the information from NIST cybersecurity framework. The first part is network segmentation, configure networks to restrict access between devices to that which is required to successfully complete the work. This will limit any cyber attacks from spreading across the network. So what does that mean? If you have a piece of medical equipment, and this happens a lot now, so we have medical equipment out there that’s running outdated versions of Windows, or whatever operating system Am I have, so a lot of windows seven still exists? I think there’s even some Windows XP out there still. And these are a lot more susceptible than Windows 10 right now. those devices should be segmented from your office staff network, they should not have the same they should not be on the same network. It is called network segmentation, meaning they’re not they they may be connected to the same devices but they cannot communicate with each other is what it means. This allow all internet bound access in to your organization network, if your host servers that interface with the internet, consider using third party vendor who will provide security as part of the hosting service, restrict access to assets with potentially high impact in the event of compromised. This includes medical devices and Internet of Things, items like security cameras, badge readers, temperature sensors, and you’re going to see more of those building management systems. And by temperature sensors. They mean building temperature sensors, but also you’re going to see temperature sensors now, for people. Just as you might restrict physical access to different parts of the medical building, which is a medical office. That’s a good point. So you you’re going to lock up offices with hope you lock up offices that might have files and maybe computers and so forth that people shouldn’t have access to. Although I gotta tell you, I don’t see that a lot of the time. It’s important to restrict access of third party entities including vendors to separate networks allow them to connect only through tightly controlled interfaces. This limits the Exposure to an impact of cyberattacks on both the organization and on third party entity established and enforced network traffic restrictions. These restrictions may apply to applications and websites as well as to users in the form of role based controls restricting access to personal websites eg social media couponing online shopping limits exposure to browser add ons or extensions, in turn, reducing the risk of cyber attacks. So you can also include some DNS filtering that will block out different types of traffic that you don’t want on on your network. So in other words, if you want to block social media sites, you can block those if you want to block adult oriented websites, you can block those which you should block those. Then you have physical security and guest access. Just as network services need to be secured physical access to the server and network equipment should be restricted to IT professionals configure physical rooms and wireless networks to allow internet access only Always keep that in network closets locked Of course grant access using badgers rather than traditional key locks disable network ports that are not in use. maintained network ports is inactive until an activation request is authorized. This minimizes the risk of unauthorized users plugging in to in an attempt to it to an empty port to access to your network. This used to happen a lot I don’t think it happens as much anymore, but people used to just walk in with a laptop with an ethernet cable plugged into the network and do what they have to do. In conference rooms or waiting areas established guest networks that separate organizational data and systems the separation will limited accessibility of private data from guests visiting organization, validate that guest networks are configured to access authorized Guest Services only. I would take that a step further and say you shouldn’t have separate networking devices for those networks. So Know the the trend now is to have a device one device that has separate networks. So you have your internal network your guest network. Well, that could the potential the risk that exists that that guest network can be used to access the internal network. While it’s minimal, it is higher than if you had to separate two separate devices, maybe even two separate networks. For you know, if you have separate internet connection coming into your practice for the guests that would mitigate any chance of being able to access your internal network and intrusion prevention. So implement intrusion prevention systems as part of your network protection plan to provide ongoing protection for your organization network. Most modern firewall technologies that are used to segment your network include an intrusion prevention system component, implementing IPS and configuring them to update our Automatically reduces the organization’s vulnerability to known types of cyber attacks. IPS are available as part of a suite of next generation network applications or standalone products that can be added to existing networks. So you may have heard of intrusion prevention systems, what they do is they watch for traffic on your network that wasn’t there before maybe, you know, there’s different ways there’s different ways of doing it. But typically they watch for traffic that wasn’t there before. And if they see it, and they block it, that’s kind of layman’s terms. threats that are mitigated by this type of by this practice include ransomware attacks, loss of depth or equipment or data, insider accidental or intentional loss of data attacks against medical service that may affect patient safety. So we just talked a few minutes ago about the April 2020, healthcare data breach report and some of that included theft or lost devices. So those threats would be mitigated by instituting these practices. Heard it is time for the HIPAA breach report for the week. I don’t recall if we shared last Friday’s on last Friday’s podcast, so I’m going to share it today and if it’s redundant and it’s redundant, but we do have a few from last Friday, and then we have a few more that reported a couple of days ago. Management and Network Services LLC, a Dublin Ohio based provider of administrative support services to post acute health care providers has discovered the email accounts of some of its employees have been compromised. You might be wondering why I’m stressing the word some, and it may 4 2020 Breach Notification Letter Mns explained that it learned on or around August 21st 2019 that’s several employee email accounts had been subjected to an unauthorized access between April and July of 2018. The analysis of the email accounts recently revealed five accounts contain a protected health information of patients of its accounts. So that five accounts that’s a lot of accounts that are compromised the information and emails and email attachments vary from individual to individual, and may have included the following data elements name medical treatment, information, diagnosis information codes, medication information, dates of service, insurance provider, health insurance number, date of birth and social security number. a limited number of individuals also had their driver’s license number, state ID, card number and or financial account information exposed. And then SS taking steps to improve email security such as enhancing password policies across the entire organization and implementing multi factor authentication for employee email accounts. So that’s a little too little too late so they did not have these things. in place, they were not educating their employees. They did not use. They did not adhere to the 60 day Breach Notification rule. A lot of failures on the part of this breach, Santa Rosa, and Rob Bronner Park oral surgery on Portland, Oregon, or in Portland, Oregon has discovered the email accounts of one of its employees was accessed by an unauthorized individual. The breach was detected on March 11 2021. suspicious activity was detected in the email account. The forensic investigation revealed the email account was breached on December 20th 2019. And access remained possible until March 11 2020. So that’s almost three months of of access. When the account was secured a compromised account was found to contain a large arm sorry range of protected health information and may have been viewed or acquired by the attacker. So they don’t show they don’t listen to how many people were impacted by this. They does say affected individuals may have been offered. affected individuals have been offered complimentary membership to my ID care, credit monitoring and identity theft protection services from ID experts Santa Rosa and rohnert. Park Oral Surgery is reviewing and enhancing its policies and procedures and will take further steps to improve information security. Oral Surgery, dentists, Ph I have 3683 ash to tubular County Medical Center patients exposed online as Tupelo County Medical Center and affiliate of Cleveland Clinic is notifying 3683 patients that some of their protected health information has been exposed online. on or around January 6, a CMC posted an Excel spreadsheet on a website to comply with government requirements about medical costs disclosures on March 12 2020 HCMC, learned that a limited amount of protected health information had been accidentally included in the spreadsheet The exposed information was limited to patients names, diagnosis and health and treatment histories. No social security numbers or financial data were exposed out of the abundance of caution. affected individuals have been offered a 12 month complimentary membership to identity theft recovery services through ID experts. Kind of a failure. There should be some there should be checks and balances here that that should not have happened. And I’m not sure why a government requirement will would mean they share. I don’t know what government requirement that is. That’s just seems a little weird to me. orchard medical consulting a provider of nurse case management services for workers compensation claims has announced that unauthorized individual gained access to the email account of one of its employees and potentially access protected health information stored in the account. The attack was detected on January 3 of 2020 and immediate action was taken to secure the account. investigation revealed the account contain names dates of birth and for a very small number of individuals. Security number and medical information such as diagnosis, treatment plan and or health history, no evidence of data access, data theft or misuse of pH I has been discovered. affected individuals have been offered complimentary membership to TransUnion interact as my true identity credit monitoring service out of the abundance of caution. To prevent further breaches email security has been strengthened policies and procedures updated and multi factor authentication has been implemented yet again. And earlier this week, we have three more breaches. On Omnia, Minnesota based Mille Lacs health system has experienced a phishing attack that potential resulted in exposure more than 10,000 patients protected health information. phishing emails were sent to some of its employees containing links that direct them to a website that requested their email credentials a small number of employees were fooled by the scam so here we go again, no education normal for normal two factor authentication miralax mill x health system learned about the phishing attack on November 14 2019, and launched an investigation to determine the extent of the breach on February 24. It was confirmed that stolen email credentials were used by the attacker to access email accounts between August 26 and January 7. To review the compromised email accounts was completed on April 22, and confirmed that the patient information may have been accessed. So they had access for roughly four and a half months, which is a long time to have access to email so you, you know patient information may have been accessed it was accessed. Information potentially compromised includes first and last names, addresses, dates of birth provider names, dates of service, clinical information, treatment information, procedure types, and for certain individual social security numbers. No evidence was found to suggest patient information was obtained or misused by the attackers. All accounts have been secured a full password reset was performed for all email accounts. additional measures have been implemented to strengthen email security. infected individuals were notified about the breach by email by mail on May 11 2020, have been offered complimentary credit monitoring services. So according to the breach portal, there’s 10,630 patients affected by this. Again, big time failures, multiple email accounts means there’s no multi factor authentication, there’s no training. There’s no education, and it did not adhere to the 60 day Breach Notification rule. Northshore pain management and Massachusetts has experienced a manual aka Oh ransomware attack and the data of some of its patients was stolen, as will be the case for ransomware. So this is technically a data breach rate incident has not yet appeared on the HHS Office of Civil Rights breach portal and at the time of writing, there’s no substitute breach notice on the company’s website, the breach was covered by data breaches dotnet, which reports that approximately four gigs of data relating to the company has been published. On the tour site. You By the attackers more than 4000 files containing patient and employee information has been dumped online. The files contain a range of sensitive protected health information, including social security numbers, health information and insurance information. The Detroit based occupational therapy speech therapy and family therapy provider side genex, Inc, has discovered one of its employees forwarded a spreadsheet containing a customer containing customer information on personal email account. The breach was detected on May 25 2020. As part of the regular security review, the email was sent on March 24 2020. So one day after he sent the email they discovered the breach spreadsheet was contained. The spreadsheet did contain information such as customers, names, diagnosis codes, provider names and appointment times. No other information such as treatment notes were detailed in a spreadsheet, no reason was given as to why the employee sent the spreadsheet to their personal email account. psychogenic says it found no evidence of attempted or actual misuse of client information. So I could tell you what probably happened here? Is the employee wanting to do some work from home emailed the spreadsheet to his personal email account to do that work? Now? Is it his fault for doing that? Maybe Maybe there was no, there’s no procedures in place. We don’t know. Maybe site psychogenic should take a look at potentially making it making a way to work from home, you know, this was during COVID-19. So it’s possible that this person just wants to work from home and avoid trying to get sick. And this is this is the outcome. So that’s gonna do it for the breach roundup for this week, and that is going to do it for this episode of the productivity podcast. Until next week, stay healthy, stay safe and stay secure.
Transcribed by https://otter.ai