Heart Pacemakers Need Cybersecurity Upgrades

Ok, so this has not happened yet, where somebody hacks your pacemaker connects to your phone and says:

Pay up or you heart will flutter.

But according to Threatpost story we are almost there (my interpretation):

“Pacemaker Ecosystem Fails Its Cybersecurity Checkup”

there have not been any cases of ransomware or other cybersecurity issues on pacemakers, but this report suggests that it would be good if some authentication (any) would be built into the devices, as no one knows what kind of shenanigans could  be created by criminal hijackers.

And mark this point in time, Criminal Hackers will create shenanigans. There will be methods yet unknown that will be done —

think DOS -or Denial Of Service.

Sure you may not need the pacemaker all the time, but you need it at certain times. What if it does not operate as it should? Whose fault is it? the hacker, doctors, or pacemaker manufacturer.

I found this email very interesting:

“They need to make sure projects meet requirements should it touch any government data

  • #1 priority is a technical person, they can teach security guidelines”

The email is a recruiter looking for a certain type of security analyst that will look over the shoulder, review code and help programmers and others to code with a security mindset.

Now you can see that here we have a germination of a security agenda at this entity.

This is a good thing, and this position should be just one part with another part a security testing regime, which I did not see mentioned in the qualifications.

Overall Cybersecurity problem is the complexity and thus needs an unfettered testing department checking on a programming department even one where Cybersecurity is important and built-in.

Just because you write good code with Cybersecurity in mind does it mean it is secure?

One must still test the code to reduce the risk of security problems further.

 

Should CyberSecurity Be An IT Thing?

Before we can answer who should be in charge of Cybersecurity…

What is Cybersecurity?

Here is Google definition:

“The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.

So Cybersecurity really means to patch and upgrade your devices.  Configure devices so unauthorized access is not possible. create good security practices that reduce the chance of  Cybersecurity ‘events’. I.e. we want the people that are supposed to use computer resources to use them not others – like criminals or ransomware bots.

ISACA (Information Systems Auditing and Control Association) has another cybersecurity definition that adds CyberRisk.

“To understand Cybersecurity we must define the term cyberrisk”

“Cyberrisk is not one specific risk, it is a group of risks, which differ in technology, attack vectors, means, etc. “

The problem with this definition is that you have to have an understanding of risk, which is fine for most IT professionals, but the risk in IT is not understood by IT lay people(people that do not understand IT).

The CxO makes the decisions ultimately and cannot understand IT to the depth most IT people understand. So there will always be a gulf of misunderstanding. But the CEO does understand business risk, so we as IT professionals need to set up an environment where we can explain cybersecurity in terms of business risk.

The disconnect is as to what can happen and how much money needs to be budgeted to ensure that Cyberrisk is minimized?

Due to Cyberrisk of Ransomware – enough resources must be budgeted to ensure there is enough to successfully complete a Plan A or Plan B

  1. Plan A – patch all systems (assuming resources available)
  2. Plan B – If you do get attacked with ransomware – better have a functioning backup.

Your decision loop takes longer than the attackers which all they do is find new exploits and attack.

Businesses have to budget, purchase stuff, and execute. This always takes longer than the attacker finding new exploits.

So the attackers are always ahead of the game.

 

Now how should we answer the question? Who should be in charge of Cybersecurity? Should IT be in charge?  I think that there is no way around it, the new executive must understand a  certain level of Cybersecurity to talk to IT in a good manner(with understanding) and since Cybersecurity affects the whole company only the Senior execs should be in charge. But they just drive the whole thing (or are supposed to). The true answer is everyone is in charge of security

Contact Us to discuss your Cybersecurity cyberrisk.

Cisco Cybersecurity Report: “It’s Mighty Sporting Out There” Wanacry Now?

Cybersecurity in the news:

Wannacry ransomware is hitting the news cycle with many high profile organizations having to admit they got hit with ransomware, which means they did not patch their machines for one reason or another.

This focus on Cybersecurity is only short term, as the headlines change in the coming days there will be less focus again.

Even in the darkest moments there is always a way back from the depths of despair even if all your data is destroyed with no backup. (Time to dust off paper processes).

Recently Cisco came out with their latest Annual report for 2017.

If you look at the potential threats assaulting defense personnel it is fairly even with mobile, cloud data, cloud infrastructure, and user issues all high threats.

The interesting chart for me is the consistent thoughts that _we_ do not have a problem.

And the reason? Cybersecurity as a high priority is still only as high as 63%, even as low as 55%. This may be better than last year, but we have a long way to go.

Cisco’s 2017 report discusses malware mostly, attacker behavior, the fact that spam includes most of the malware that attacks us.

It might be useful to review the working theories of attackers using spam. If a spammer uses a service to send out a million emails for $20-$40 then all he needs s to 1 response for ransomware at $300 to get a 700% return. And if there is a bit of luck with 2-6 responses, then $40 spam email cost plus whatever it cost to make or buy the payload and infrastructure (if any). with 5 ransomware ‘hits’ and $1500 the cost being $200 is still a 700% return.

Needless to say we will not have a reduction of ‘spam with malware’, if anything we will get an increase of ‘spam with malware’. Since everyone wants to make more money next year.

The problem with cybersecurity is that it will not affect people 100% of the time. It is not a certainty and thus a sense of false bravado exists. But we will be affected as we are all connected. What happens is the weak link, or the weakest machine gets hacked. And then if there is more money to be made there will be further issues and further hacks.

As in the next image – the lowest hanging fruit will get hacked and now it is easier to hack the high profile systems.

As in my previous post the youtube video by Saumil  explains that we need to develop new methods of defense that will definitively defend our systems, not just a “high likelihood” or “low likelihood” of risk.

Setting Cybersecurity as a high priority also means you need to set good policies and resources. Even though you do not want to think about it, it will have a tendency to come and bite you. Better to be prepared and stave off the next ransomware Armageddon.

Contact Us to discuss this.

Will Automation Cause more #Cybersecurity Problems?

There seem to be lots of attention to ‘new’ automation in many areas of our lives.

Atlantic Story: ” the Parts of America Most Susceptible to Automation”

Notice that no one is interested in Cybersecurity problems that will be created within this new automated world.

Sometimes Hollywood is looking further ahead than we are, on Season 7 episode 16 ‘Murder by Remote Control’  an “automated house” killed a person because it was programmed to do so in a house that was automated (opens and closes doors, lights and more). the episode played on CBS 2/10/2000.

So 17 years ago Hollywood played an episode that looked unrealistic at the time. I am not here to discuss the viability of the episode or the cast/show etc. I am here to discuss what can go wrong as we automate more and more aspects of our lives. Today we also call these devices IoTs (Internet of Things) where these devices power on and off lights and alarms, doors and others.

what happened in the episode could happen today with a hacker controlling your IoTs which are controlling  heating and air conditioning to make your life in the house unbearable and maybe even dangerous (depends on the add-ons you installed) and although it may not be dangerous yet, but it may be in the future.

On TV (which is visual) the computer system is shown at it’s control screen where one can see the cameras and make adjustments, this control screen may be replicated by a remote hacker (ransomware) today.

The Atlantic story was trying to find economic regions which are most likely to see automation:

(image from Atlantic Article). You can see that the major metropolitan areas seem to be more likely to have concentrations of automation as an estimate this may be accurate.

But what is a glaring omission in this article?

Cybersecurity

This is the paragraph concluding the article:

 

The work by Moenius and his colleagues suggests that this divergence will only continue. While a handful of cities with good jobs and highly educated workers will continue to thrive, other areas are going to see more and more jobs disappear as automated technologies become ever better. This may have much wider implications, politically and socially. People in America’s struggling regions feel left behind economically, as the 2016 election indicated.

It is not surprising that Cybersecurity is not on the radar of most people,  and will not be until they experience it for themselves, or at least it is simplified to their level.

As I have discussed in many blogposts until there are concrete reasons like compliance or experiences with Cybersecurity events there is no mention of disaster recovery or other ‘potential’ calamities. IT is supposed to handle this.

I believe the owner/ managing person needs to be aware of a minimal set of standards like making backups and ensuring they work. defending against cyberattacks.

The problem is there are many compliance levels which are not good enough in some cases.  So what is a small business to do? This image is the problem:

With minimal Cybersecurity standards one can defend and ensure the viability of the business. Even when automation creates an even greater reliance on technological advances with computing devices.

Here are a few cybersecurity automation examples from a 3 year old defcon video:

https://www.youtube.com/watch?v=h5PRvBpLuJs

“Hack all the things 20 devices in 45 minutes”

There were many Android devices from GoogleTV  to standard routers, embedded multi media, file storage devices, smart refrigerators, blu-ray devices, cloud connectivity devices, printers, baby listening devices,  and devices that control on-off states of electrical appliances in a home.

The devices in our homes are not automated yet, because we have not dreamed up enough uses but the video hcked them all using UART mostly as a way into the hardware. The end result was almost always the same – full exploitation, allowing many full admin rights and allowing other code to be run than from what the manufacturer wanted to produce.

As usual, in many cases the root password was simple and in plain text on the system.  It is obvious to me that Cybersecurity is not important at this time.

So in the coming days Fixvirus.com and Oversitesentry will propose a solution to this dilemma.

The Weak Link Gets Stressed

I’m always looking for more attack angles into the network.

What is the weakest link?

To know the answer to the question we need to investigate what Risk = likelihood * impact is in our organization.

It is more exciting to talk about higher productivity, faster computers, and sales of product xyz.  But a weak link has to be monitored or it can become a disaster of your own doing.   The Internet has improved productivity (and made us social media hogs) but also has allowed our computer environment to be affected by all the Criminal people of the world.

I have mentioned this in the last couple of posts, but Small business does not seem to get the message.

There are so many things to do in a small business just to stay afloat or to grow, that working on a backup strategy is just not important. How does a backup help sell product “xyz”?

It may not help selling or operating a business, but when an IT failure occurs will it be an annoyance – “recover the data please”? Or will it be a disaster and then we have to say things like… the computers are not operating right now… we are working using the old paper based methods. A few years from now this will not work, as Credit cards increasingly need a network to operate.

Getting the following message might make you pay the ransom, thinking you will have solved the problem ‘on the cheap’

But if it happened once, it will happen again. You better fix this issue of management willpower. 60% of small businesses fail within 6 months of a Ransomware attack. There is a reason for this phenomena.  The weak link is the ignorance of the problem.

As you can see the sophistication of criminals will get to the point that they will charge more for Ransoming your own devices back to you.  If management does not have the willpower to create the processes of sophistication to defeat digital Criminals (and major disasters). Then it will only be a matter of time and circumstances when the hole dug is going to be too deep.

Thus my conclusion is that the true “Weak Link” is management thinking itself. A minimal amount of time could be spent on defensive preparations, like 10% which I have recommended before: http://oversitesentry.com/what-is-your-budget-in-preventing-unforeseen-attacks/

Contact Me to discuss this phenomena.