NHS Digital is set to start expanding the range of cybersecurity services available to UK hospitals and clinics.
CareCERT (Care Computer Emergency Response Team) launched in November 2015, offering a national service that helps health and care organisations to improve their cybersecurity defences by providing proactive advice and guidance about the latest threats and security best practices.
A service that initially focused on pushing out alerts about threats will be expanded to include three new services, each of which begins testing this month:
• CareCERT Knowledge – a new e-learning portal to help all health and care organisations train their staff in cybersecurity basics.
• CareCERT Assure – a service to help organisations assess their local cybersecurity measures against industry standards, including recommendations on how to reduce vulnerabilities.
• CareCERT React – advice on reducing the impact of a data security incident.
Public health and innovation minister Nicola Blackwood announced the expansion at the Health and Care Innovation Expo on Thursday. The rollouts come at a time of increasing security threats to UK hospitals and clinics, particularly from file-encrypting ransomware.
Almost half (47 per cent) of NHS trusts have been subject to a ransomware attack in the past year, according to figures from a freedom of information (FOI) request published last month. NCC Group’s FOI is based on requests to 60 trusts, 28 of which confirmed they had been victims of ransomware.
Independent infosec consultant Brian Honan, the founder and head of Ireland’s CERT, told El Reg that the increase in security services ought to be considered as a move to drive security improvements in UK hospitals in general, rather than a specific response to the ransomware threat.
“I do not see this as a reaction to ransomware as a recent FOI request submitted by Channel 4 showed that out of 152 NHS Trusts 39 were affected by ransomware,” Honan explained. “However, with the rising number of threats against computer systems this is a welcome and prudent move to enhance the security of the data, computers, systems, and networks the NHS increasingly relies on to provide its services.”
Posts Tagged ‘ShazzleMail’
NHS Digital is set to start expanding the range of cybersecurity services available to UK hospitals and clinics.
Start saving now. The global cost of cybercrime could reach $6 trillion by 2021, according to a Cybersecurity Ventures report.
A report out by Cybersecurity Ventures predicts global annual cybercrime costs will grow to $6 trillion by 2021.
While a $6 trillion estimate might be a little high, “a trillion dollars plus is a real possibility,” says Larry Ponemon, chairman and founder of the Ponemon Institute. Though this isn’t a number he saw coming down the pipeline. “If you asked me five or six years ago, I’d fall over,” he says.
The predicted cybercrime cost takes into account all damages associated with cybercrime including: damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. It does not include the cost incurred for unreported crimes.
Other research has shown that the cost of cybercrime increases the longer it takes to detect it, if it’s detected at all. According to the Ponemon Cost of Data Breach report, the longer it takes to find and resolve a breach, the more costly it will be for an organization. Breaches identified in fewer than 100 days cost companies an average of about $1 million less than those that take more than 100 days to be discovered, according to Ponemon. And in the 2016 Dark Reading Security Salary Survey, 9% of IT and infosec pros don’t even know if they’ve been breached. A study by The Office of National Statistics for England and Wales found that most cybercrimes go unreported.
The Cybersecurty Ventures report, which is a compilation of cybercrime statistics from the last year, also predicts that the world’s cyberattack surface will grow an order of magnitude larger between now and 2021
Chances are you know you’re being tracked online. Most of us are at the point where we’re not surprised when an ad for something we searched for on one site appears on the next site we visit. We know that many pages (yes, this one you’re reading, too) drop cookies and other scripts into our browser to keep tabs on our activity and sell us stuff.
A new survey from a group of Princeton researchers of one million websites sheds some light on the cutting-edge tricks being used to follow your digital trail. Rather than placing a tracker on your browser, many sites are now “fingerprinting” — using information about your computer such as battery status or browser window size to identify your presence.
Arvind Narayanan, one of the authors of the Princeton study, discusses his research, the latest in online tracking and what you (and our lawmakers) can do to counter the trackers.
Read a partial transcript below. Here are a few of the tools and studies we mentioned in the show:
• Arvind Narayanan and Steven Englehardt’s full paper (PDF)
• Ghostery, an online tool that alerts you to the trackers on the website you’re visiting
• Panopticlick from the Electronic Frontier Foundation, which analyzes how well your browser is protected from tracking
How fingerprinting works
Arvind Narayanan: In the ad tech industry, cookies are gradually being shunted in favor of fingerprinting. The reason that fingerprinting is so effective is that even if you have a device that you think is identical to the device of the person sitting next to you, there are going to be a number of differences in the behavior of your browser. The set of fonts installed on your browser could be different. The precise version number of the browser could be different. Your battery status could be different from that of the person next to you, or anybody else in the world. And it turns out that if you put all of these pieces of information together, a unique or nearly unique picture of the behavior of your device emerges that’s going to be relatively stable over time. And that enables your companies to recognize you when you come back.
Jody Avirgan: But how does it enable that? My actual finger’s fingerprint doesn’t change from today to tomorrow. But my computer’s battery status can change. So how do they know it’s still you?
Narayanan: The battery status is actually the only exception to that general principle. And that’s the reason why we’re still figuring out how that works. [Editor’s note: Earlier in the interview, Narayanan had mentioned that the rate at which your battery depletes might be an identifier.] But let’s say you’ve got 41 fonts installed on your browser today. You come back in a week, maybe you have 43 fonts installed. But 41 of those are going to be the same as what they saw a week ago. And it changes slowly enough that statistically you can have a high degree of confidence. In the industry they call these things statistical IDs. It’s not as certain as putting a cookie on your browser, but you can derive a very high degree of confidence.
Tracking’s chilling effect
Narayanan: The reason that this is really important, and perhaps the primary thing that motivates me to do this research, is this world of pervasive surveillance that we’re entering into — and I’m going to use that word surveillance very deliberately, because it is surveillance. Everything that we look at online and click on is getting stored in a database somewhere. And it’s being data-mined and various [decisions] are being based on that. Targeted advertising is a relatively innocuous example, but there are a variety of other things that can and do happen.
There is research that shows that when people know they are being tracked and surveilled, they change their behavior. We lose our intellectual freedom. A variety of things we consider important for our civil liberties — say, marriage equality — are things that would have been stigmatized just a few decades ago. And the reason we got to the point where it was possible to talk about it and try to change our norms and rules is because people had the freedom to talk to each other privately. To find out that there are like-minded people. As we move to a digital world, are we losing those abilities or freedoms? That is the thing to me that is the question. That’s the most worrisome thing about online tracking. It’s not so much the advertising.
One cybersecurity firm estimates that extortive attacks now cost small and medium companies at least $75 billion in expenses and lost productivity each year.
In recent months, a proliferation of ransomware attacks has affected everyone from personal-computer and smart-phone owners to hospitals and police departments. An attack works like this: A virus arrives and encrypts a company’s data; then a message appears demanding a fee of hundreds or thousands of dollars. If the ransom is paid in time, the information is restored. At the heart of this new business model for cybercrime is the fact that individuals and businesses, not retailers and banks, are the ones footing the bill for data breaches.
According to an FBI tally, ransomware attacks cost their victims a total of $209 million in the first three months of 2016, a stunning surge upward from $24 million in all of 2015. However, that figure was based only on the complaints that victims reported to the bureau. In a new report, Datto, a Connecticut-based cybersecurity company, offers an alarmingly higher estimate that accounts for unreported incidents and lost productivity, which costs businesses far more than paying ransoms does.
The company’s survey of 1,100 IT professionals found that nearly 92 percent had clients that suffered ransomware attacks in the last year, including 40 percent whose clients had sustained at least six attacks. The report found that “less than 1 in 4 ransomware incidents are reported to the authorities.” Factoring in the cost and average amount of time lost to infections—an overwhelming majority of small businesses hit by ransomware face at least two days of downtime—as well as the number of businesses affected by them, Datto suggests that the financial impact of this brand of cybercrime starts in the range of $75 billion each year.
The company arrived at this figure based on an estimate from the Aberdeen Group, a consultancy, that an hour of inactivity costs small companies an average of $8,581 per hour. By comparison, Datto’s survey indicated that about three-quarters of the IT professionals said the ransoms paid were somewhere between $100 and $2,000. Overall, Datto estimates that $375 million has been paid out in ransoms in the past year, making lost productivity the much bigger concern.
Joe Gleinser, the president of GCS Technologies, an Austin-based IT support and services company, walked me through just how time-consuming it is for companies to deal with ransomware attacks, which generally starts with the appearance of “unusually named files” or files that suddenly can’t be accessed. “Locking the network down”—freezing some or all of a company’s systems—is typically the first step after the attack is recognized, in an effort to stop the damage and look for fixes.
“So that’s productivity hit number one,” he said. For a small business, that can mean an entire operation; for a larger one, it could mean a section or a division. “Obviously in certain industries that’s a lot more painful,” Gleinser added. “In health care, that can mean patients going untreated. If you don’t have that information, you don’t know what drugs were prescribed and sometimes it’s tough to make decisions.” Earlier this year, operations at a Los Angeles hospital came to a near halt, leaving staff to use faxes and paper notes to communicate before a $17,000 ransom was paid.
If a business has a well-maintained back-up system in place, data may be restored with only some small delays and limited expense. Should a sufficient back-up not be possible and should the inaccessible files be deemed important enough, the second step is paying the ransom, a practice that the FBI discourages, but says is not illegal under most circumstances.
“Paying the ransom is tricky business,” said Gleinser. “You’re dealing with criminals.” While many ransomers operate quickly, even attentively, that is not always the case. Datto’s survey found that 7 percent of IT professionals reported incidents where data was not restored even after a ransom was paid.
But even paying the ransom can be tricky. “If you don’t have Bitcoin right now, you’re probably not going to get it before the timer expires on the infection,” Gleinser said. “Many of these infections, as soon as you start the process to engage with the ransomer … you have about 48 hours before the data is non-recoverable to encourage you to move quickly.”
As one cybersecurity company executive told Business Insider last month, banks have started to keep tens of thousands of dollars in Bitcoin ready in case of an attack. “Buying bitcoin on any one of the U.S. exchanges is a three-to-five day wait time, so we’ve been forced into the position of having to stock bitcoin as if it were computer equipment and have it ready for our use,” Gleinser added. And even if a company is prepared to pay, when the deadline arrives, the price can jump, sometime double, triple, or even quadruple, or the data can be rendered permanently unrecoverable. “We’ve seen some clients who had paid the ransom and then immediately get attacked again,” he added.
So who is doing this? Ransomware attacks originate largely in Russian or Eastern European outfits, but in recent years, they’ve come from all over the world. Quoting FBI statistics, Gleinser says an average of 4,000 ransomware episodes now take place each day, mostly with no ideological rhyme or reason. These heavily-automated attacks have changed a basic business calculus whereby employers and management have started looking outward for threats instead of inward. “We’ve told clients the last 15 years, the number one threat is not the boogeyman, it’s … the third party you’ve already given access to your network. Disgruntled staff has by far been the largest security risk our clients have dealt with historically,” Gleinser said. “It’s not definitely true in this day and age. There definitely is a boogeyman out to get these guys.” With Bitcoin enabling easier and less traceable methods of cybercrime, ransomware attacks will almost certainly not be the boogeyman’s final evolution.
True democracy relies on the reliability of the democratic process. The “Help America Vote Act”, passed in 2002, ushered in an era of uncertainty by proliferating the use of electronic voting systems vulnerable to cyber, technical and physical attack. More often than not, electronic voting systems are nothing but bare-bone, decade old computer systems that lack even rudimentary endpoint security. Despite the recurring discussion on electronic voting vulnerabilities that occurs every four years, only limited attention is given to the systemic problem undermining American democracy. It’s time for a complete overhaul in the electoral process’ cyber, technical and physical security.
In this analysis, entitled, “Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures”, the Institute for Critical Infrastructure Technology provides a detailed analysis of the risks that voting machines and the digital age have introduced into our democratic process which have the potential to impact the integrity of election results. The report discusses:
• The shocking ease of hacking all aspects of virtually any voting machine’s “black box” technology
• The cyber, technical and physical attack methods that could be enlisted by Nation States, Hacktivists and black hat hackers
• Social Engineering attack vectors and methods that are so easy, even a novice script kiddie can do it
• A few simple tactics that can “fix” any local, state or national campaign in just days or even hours
• And much more
This paper was authored by:
• James Scott (Senior Fellow – Institute for Critical Infrastructure Technology)
• Drew Spaniel (Researcher – Institute for Critical Infrastructure Technology)
The following experts contributing to this report:
• Rob Roy (Fellow – Institute for Critical Infrastructure Technology & Federal CTO, HPE)
Part Two of this paper will be published shortly and provide a deeper technical analysis of this threat.
Download the paper here: http://icitech.org/wp-content/uploads/2016/08/ICIT-Analysis-Hacking-Elections-is-Easy-Part-One1.pdf