This week, we look at how Kaspersky hacked a hospital to find its security flaws, the rise in apps leaking credit card data on enterprise mobile devices, and more.
How I hacked a hospital: Kaspersky finds security weaknesses in health IT
A Kaspersky Lab Global Research & Analysis Team (GReAT) expert has conducted real field research at a private clinic in an attempt to explore its security weaknesses and how to address them.
Vulnerabilities were found in medical devices that opened a door for cybercriminals to access the personal data of patients, as well as their physical well-being.
The first thing that the Kaspersky Lab expert decided to explore, while conducting this research, was how many medical devices around the globe are now connected to the Internet. Modern medical devices are fully-functional computers with an operating system and most of these have a communication channel to the Internet. By hacking them, criminals could interfere with their functionality.
A quick look over the Shodan search engine for Internet-connected devices showed hundreds of devices – from MRI scanners, to cardiology equipment, radioactive medical equipment and other related devices. This discovery leads to worrisome conclusions, as some of these devices still work on old operational systems such as Windows XP which have unpatched vulnerabilities, and some even use default passwords that can be easily found in public manuals.
“Clinics are no longer only doctors and medical equipment, but IT services too. The work of a clinic’s internal security services affects the safety of patient data and the functionality of its devices. Medical software and equipment engineers put a lot of effort into creating a useful medical device that will save and protect human life, but they sometimes completely forget about protecting it from unauthorised external access,” said Sergey Lozhkin, senior researcher at Kaspersky Lab’s GReAT.
“When it comes to new technologies, safety issues should be addressed at the first stage of the research and development (R&D) process. IT security companies could help at this stage to address safety issues.”
17% rise in apps leaking credit card data on enterprise mobile devices
Wandera latest quarterly Mobile Data Report reveals a continued rise in apps and mobile websites leaking credit card data, with several new cases from prominent brands, including the Hong Kong metro system.
Wandera has discovered a 17 per cent increase (Q1 2016 vs Q4 2015) in apps and mobile websites leaking credit card data since announcing the discovery of the CardCrypt security flaw in December 2015.
CardCrypt affected 16 global companies’ mobile websites and apps who were shown to be transmitting users’ credit card details, and in some cases passport information, unencrypted and ‘in the clear’.
Among the key findings of the report is the unusual and accelerated growth in malicious domains visited by users in Q1 2016. A massive 200 per cent increase per month through the quarter was attributed to a concerning rise in ad frameworks used within apps and websites that are directing users to domains with a history of malicious activity.
The report revealed that while improved education seems to be helping users avoid visiting malicious websites through typical routes (phishing attacks or unwise browser use), users are nonetheless increasingly being exposed to malware through compromised adverts in the apps they are using.
3 tips to protect your organisation from becoming the next victim of a well-publicised attack
Isaac George, SVP and UK Regional Head at Happiest Minds has revealed what businesses can learn from the most recent and devastating cyber-attacks in the sector.
Here are his top three recommendations outlining what organisations need to do to in order to protect themselves from becoming the next victim of a very well publicised attack.
1. Employee awareness and training
Even today, with all the publicity around attacks, email security and secure policies and practices are lacking. It may seem blatantly obvious, but organisations need to make sure that all employees, specifically those with access to sensitive information, go through proper training on secure practices. This training should be just as important a part of the organisation’s cyber security policies as the technology and solutions the company is using to protect itself.
2. Security checks and password power
Another major access point for attackers is weak security practices, such as weak passwords or flawed verification and authentication processes. When it comes to weak passwords, I can only reiterate what the whole security community has always said, that is to ensure you have a long password using a combination of alpha-numeric and special characters, and to change this regularly. The importance of this practice needs to be made very clear to those handling sensitive data. As for flawed security processes, it is essential that all protocols are checked thoroughly and regularly.
3. Third parties can compromise security
A vulnerability that your organisation cannot directly control, but nonetheless must attempt to defend against, is access to your company through an external or third-party individual – such as a PoC with access to your organisation’s website. It is imperative that absolutely anyone with access to any part of your organisation’s secure data be thoroughly aware of necessary security practices. This is one of the most overlooked yet most difficult threats for companies to protect themselves against, with data boundaries today extending to home networks, personal and mobile devices, third parties and various other points of exposure.
UK firms need to drastically update cyber security awareness
The ‘one-dimensional’ and ‘outdated’ cyber security awareness learning provided by most UK organisations is not fit for purpose and is limiting employees’ ability to understand what good cyber behaviours look like, according to research from AXELOS.
The approach also does little to create, embed and sustain the behaviour change required in organisations to respond better to cyber attacks, said the firm.
While 82 per cent of organisations are using traditional, computer-based training and e-learning, less than a third are deploying some of the latest learning techniques that offer more immersive and engaging learning for staff.
Nick Wilding, head of cyber resilience best practice at AXELOS, said: ‘Organisations are still trusting in their annual, cyber awareness e-learning. To expect this approach to influence resilient behaviours is unrealistic. Typically, this one-off course – required once, designed once, delivered once and completed once – is also forgotten at once.
Barracuda expands into UK channel with MSP Solutions
Barracuda Networks has expanded its reach and resources into the UK partner channel, with the launch of its Intronis MSP Solutions in the UK.
The solutions include innovative backup and data protection for managed service providers (MSPs), as well as the recently announced Barracuda Backup – Intronis MSP Edition. The launch builds upon the success of the Intronis ECHOplatform in North America, where more than 2,000 MSP partners use the award-winning platform to service thousands of small and medium-sized businesses.
CrowdStrike offers cyber risk assessment program targeted at M&A process
CrowdStrike is offering a new cyber risk assessment program aimed at businesses that conduct mergers and acquisitions (M&A).
The CrowdStrike Services’ “M&A Cyber Risk Assessment” program allows organisations to quantify risk in an area not traditionally considered in the M&A process – cyber risk. This program provides risk management, specifically geared to identifying and minimising exposure to cybersecurity threats before and during the company integration process.
Hospital image via Shuttestock