Cybersecurity

Article Dean Dorton

Explore the latest insights that can reshape your business’s approach to cybersecurity disclosure and gain a deeper understanding of how the evolving landscape of cybersecurity disclosure impacts privately owned businesses.

1. Identify Gaps in SEC’s Proposed Disclosure Requirements

  • First, analyze the differences between what the SEC is suggesting for disclosures and what your company currently does.
  • Assign responsibility for making the necessary improvements.

2. Integrate Disclosure Processes

  • Avoid the mistake of creating a new, complex process. Instead, figure out how your cybersecurity practices can be seamlessly incorporated into your existing disclosure procedures.
  • Identify the people who need to be involved, including legal experts.

3. Update Incident Management Process

  • Adapt your incident management procedures to account for factors like the significance of the event and continuous reporting and monitoring.
  • Ensure consistency in how you determine what is significant and how you disclose cybersecurity incidents, similar to how you handle operational or financial issues.

4. Engage Board of Directors Early

  • Start a dialogue with your board of directors about the new disclosure requirements.
  • Collaborate to identify any changes in governance that may be necessary.

5. Leverage Technology

  • Invest in the right technology tools that can help streamline your disclosure processes and communication.
  • This could be a single, all-in-one solution or a combination of individual tools that work together effectively.

Companies must take cybersecurity more seriously than ever before after a new rule passed by the SEC.

Have questions? Reach out today!

Article Dean Dorton

Public companies must prepare to meet higher standards for cybersecurity.

The SEC recently issued a rule requiring public companies to disclose when they fall victim to a material cyber attack. Companies will also have to file annual disclosures about their cybersecurity risk profile.

As cyber attacks become more common and costly, it’s important for businesses to be forthcoming about their cyber risk. This fact along with inconsistent public company reporting of cyber events compelled the SEC to mandate public companies to disclose material attacks in Form 8-K filings within 4 days of the incident being discovered along with a better appreciation of the company’s cyber risk environment.

What Requirements are in the New Rule?

The requirements fall into two categories:

  • Incident Disclosure – Within 4 days of a cybersecurity incident being discovered that has a “material” impact, companies must report what happened, when/how it was discovered, who was affected and how, and what remediation is underway, among other details. All this information enters the public record.
  • Yearly Reporting – Once a year, companies must file a Form 10-K report outlining their cybersecurity risk assessment program, highlighting how it aligns with strategy and planning, and what third party experts it includes.

What Does This Mean for Public Companies?

Many companies already disclose breaches and report on their security environment but not to the level the SEC expects for proper investor evaluation.

The new SEC rule will require all companies to act quickly in the wake of a cyber incident. Gathering the required information within a four-day window means starting immediately after discovery and working methodically from there. Companies will need to assess whether they have the staff and tools to understand incidents in a matter of days. Investing the time now in developing a cyber incident policy is paramount.

Closely related, companies will need to review their entire approach to cyber risk before, during, and after an attack. Reporting on cybersecurity activities will be the easy part. Much harder will be managing cyber risk effectively, month after month, even as new threats and vulnerabilities emerge.

The new SEC rule means new compliance and reporting requirements which require immediate attention.

How Do You Become Compliant?

The first step will be to perform a gap analysis between current practices and those required by the SEC. That will, in most cases, be followed by a systematic effort to close gaps. Otherwise, companies expose themselves to compliance penalties, legal action, and reputational damage—not to mention increased exposure to cyber attacks.

Public registrants will need to comply with the new annual disclosures for fiscal years ending after December 15, 2023, excluding small reporting companies that have until fiscal years ending after December 15, 2024. Incident reporting will be effective 90 days after the date of publication in the Federal Register or December 18, 2023 (later of). For small reporting companies 270 days after publication in the Federal Register or June 15, 2024 (later of).

Beyond just boosting cybersecurity, companies will need to rethink how cyber risk affects every facet of the organization. The team at Dean Dorton, with expertise spanning from cybersecurity to board oversight, is your resource for getting the new SEC rule right.

The deadline for compliance is fast approaching. Contact Dean Dorton to put a plan in place.

Article Dean Dorton

What is Juice Jacking?

Juice jacking is when bad actors place a corrupted USB port in a public location, such as an airport or coffee shop with the goal of an unknowing person plugging their cable into it to charge their phone. The port is then used to install malware on the device and steal personal information. In terms of implementation, this type of attack is fairly easy to execute.

Charging kiosks in the era of smartphones have become commonplace in public locations. This is another prime example of hacker using legitimate, everyday technology for nefarious intent. While the attacks thus far have not been common, it is anticipated that these sorts of attacks will increase over the next few years.

How to Protect Yourself

Situational awareness is imperative in cases such as this.

If public USB ports are your only option, be sure to inspect the port prior to plugging in a cable. If it appears off, do not use it. The Federal Communications Commission also said, “If you plug your device into a USB port and a prompt appears asking you to select ‘share data’ or ‘trust this computer’ or ‘charge only,’ [you should] always select ‘charge only.'” Experts also recommend using a USB write blocker. This prevents threat actors from passing any data over USB.

However, the safest option is to avoid public USB ports altogether. If you are anticipating that your device will need to be charged, bring your own charger and plug it in directly to a power outlet or portable charger.

Further Steps

To learn more about cyber threats facing your organization, contact Dean Dorton today.

And for more information on juice jacking, here are some helpful articles:

Traveling? This $7 gadget protects your phone from treacherous USB charging ports

FBI office warns against using public phone charging stations at airports or malls citing malware risk

Article Dean Dorton

A federal class-action lawsuit was filed in the U.S. District Court Western Kentucky District of Kentucky Louisville Division against Norton Healthcare on behalf of employees and patients whose personal information was stolen from Norton’s servers in a cyber attack earlier this year.

Cyber attacks on healthcare systems and providers of all sizes have seen a sharp uptick since the beginning of the COVID-19 pandemic. Threats continue to grow as the number of connected devices across more networks increases. Combined with cloud services gaining in popularity, this creates a larger attack surface for bad actors constantly evolving the sophistication of their efforts. Everything from patient admissions information and payment records to private electronic health records (EHRs), e-doctor visits, medical device wearables, and portable medical technologies can all be susceptible to compromise.

But a healthy cyber security posture can help defend against more than just an attack on a network, devices, or even an organization’s reputation: It can aid in protecting the most vulnerable among us.

By understanding the challenges at hand and putting mitigation efforts in place, healthcare providers can work toward the all-important triad of confidentiality, integrity, and availability of information. Meanwhile, they ensure access to vital patient data at the most crucial moments in the continuum of care.

The Most Common Healthcare Cyber Threats

As the technology we rely on to deliver cutting-edge care continues to advance, so too do the complexities and stealth of cyber attacks.

The most common purpose of an attack, as we’ve noted, is accessing sensitive information to either sell or for personal use. The methods of these attacks, however, can be as varied as the attackers, including destruction of data and industrial espionage.

In the context of healthcare cyber security, here are a few threats causing the greatest damage to bottom lines — and reputations.

Ransomware

When a machine or a device is infected by ransomware, the files and other data are typically encrypted, access is denied, and ransom is demanded. Patient care services are particularly vulnerable to this type of attack due to their high dependence on technology combined with the critical nature of their daily operations. In fact, ransomware attacks on the sector occurred at a rate of four incidents per week in the first half of 2021.

Health records are a low-risk, high-reward target for cybercriminals because each record can fetch a high value on the underground market. Unfortunately, ransom payment doesn’t always result in the return of the stolen information.

Phishing

Many significant security incidents are caused by a variety of phishing attacks. The effectiveness can be attributed to criminals targeting the weakest link in the cyber security chain: people. Unwitting users may click on a malicious link or open a malicious attachment and infect their computer systems with malware that ultimately divulges information or enables access to it.

Cloud Storage Threats

Many healthcare providers have been switching to cloud-based storage solutions for greater convenience, and an “always on” connectivity. Unfortunately, not all cloud-based solutions are HIPPA compliant, making them easy targets for intruders. Threats include improper access management, data breach, data leak, loss of sensitive data, and misconfiguration of cloud storage. What’s more, some organizations don’t properly encrypt the data — or implement restrictions — before transmitting.

Be sure to utilize a private cloud or an on-premise data center to regularly secure and encrypt data.

Internal Threats

In our high-level primer on cyber security, we share research indicating that 90% of cyber claims stem from some type of human error or behavior. As more healthcare professionals access sensitive patient information on more devices — some which are still unsecured — the likelihood of an attack increases. While some internal threats can be malicious, most are the result of negligence or unwitting compromise.

Give your healthcare organization a first step in the right direction to mitigating risks, safeguarding your valuable data, and protecting your reputation. Connect with Dean Dorton for a cyber security risk assessment today.

Article Dean Dorton

According to the Verizon 2022 Data Breach and Investigations Report, 84% of data breaches entail payment account data, while 93% are driven by financial motives.

Credit card data is highly valuable and sought after by malicious actors, leading to the need for strong security measures. In response to evolving tactics, the Payment Card Industry Data Security Standard (PCI DSS) has introduced version 4.0 to enhance the protection of credit card data.

This guide provides an overview of the major changes introduced in PCI DSS 4.0, categorized as operational requirements (for sales and customer relations) and technical requirements (for information technology group). It aims to help organizations understand and implement these updates to safeguard cardholder data effectively.

Getting Started with PCI DSS 4.0

  • Document, assign, and ensure understanding of roles and responsibilities associated with each of these requirements.
  • Perform and document risk analysis/assessment for new requirements.
  • Broaden the concept of “network segmentation” to include a wider range of segmentation controls.

1. Install and Maintain Network Security Controls

Technical responsibilities for this step include the following:

  • Replace “firewalls” and “routers” with “network security controls” to accommodate various technologies.
  • Review configurations of network security controls at least once every six months.
  • Secure configuration files to maintain the integrity of security controls.
  • Implement security controls on any computing device connecting to untrusted networks and the cardholder data environment (CDE).

2. Protect Stored Account Data

Technical responsibilities for this step include the following:

  • Minimize data storage through data retention and disposal policies, verified at least every three months.
  • Encrypt electronically stored sensitive authentication data (SAD) before authorization.
  • Prevent copying or relocation of primary account numbers (PAN) during remote access.
  • Use cryptographic hashes or disk/partition-level encryption to render PAN unreadable on removable electronic media.

Operational responsibilities for this step include the following:

  • Ensure third parties storing data on behalf of the organization comply with data retention and disposal policies.
  • Maintain an inventory of trusted keys and certificates used for PAN transmission over open, public networks.

3. Protect Cardholder Data During Transmission Over Open Networks

Technical responsibilities for this step include the following:

  • Confirm the validity and non-revocation of certificates used to safeguard PAN during transmission.
  • Maintain an inventory of trusted keys and certificates used for PAN transmission.

4. Protect Systems and Networks from Malicious Software

Technical responsibilities for this step include the following:

  • Define the frequency of periodic evaluations for system components not at risk for malware based on targeted risk analysis.
  • Implement processes and mechanisms to detect and protect against phishing attacks.

Operational responsibilities for this step include the following:

  • Define the frequency of periodic evaluations for system components not at risk for malware based on targeted risk analysis.
  • Implement processes and mechanisms to detect and protect against phishing attacks.

5. Develop and Maintain Secure Systems and Software

Technical responsibilities for this step include the following:

  • Maintain an inventory of internal, external, and third-party software components for vulnerability and patch management.
  • Deploy an automated solution for detecting and preventing web-based attacks on public-facing web applications.
  • Manage all loaded payment page scripts by authorizing and assuring their integrity through written justifications.

6. Restrict Access to System Components and Cardholder Data

Technical responsibilities for this step include the following:

  • Assign application and system accounts and related access privileges based on the least privilege necessary.
  • Review access by application and system accounts on a frequency defined in the risk analysis.
  • Increase password length to a minimum of 12 characters (or 8 if the system doesn’t support 12 characters).
  • Implement Multi-Factor Authentication (MFA) for all access into the CDE.
  • Ensure MFA systems are resistant to replay attacks, cannot be bypassed, and use at least two different authentication factors.

Operational responsibilities for this step include the following:

  • Review all user accounts and access privileges, including third-party/vendor accounts, at least every six months.

7. Restrict Physical Access to Cardholder Data

Technical responsibilities for this step include the following:

  • Define the frequency and types of inspections for point of interaction (POI) devices in the targeted risk analysis.

8. Log and Monitor All Access to System Components and Cardholder Data

Technical responsibilities for this step include the following:

  • Use automated mechanisms for performing audit log reviews.
  • Define periodic log reviews for system components not covered by automated mechanisms.
  • Detect, alert, and address failures of critical security control systems promptly.

Operational responsibilities for this step include the following:

  • Define periodic log reviews for system components not covered by automated mechanisms.

9. Test Security of Systems and Networks Regularly

Technical responsibilities for this step include the following:

  • Manage all applicable vulnerabilities not ranked as high-risk or critical.
  • Perform authenticated scanning for internal vulnerability assessments.
  • Deploy change and tamper-detection mechanisms for HTTP headers and payment pages received by consumer browsers.

10. Support Information Security with Organizational Policies and Programs

Technical responsibilities for this step include the following:

  • Document and review cryptographic cipher suites, protocols, hardware, and software technologies annually.
  • Document and confirm PCI DSS scope and conduct reviews upon significant changes.
  • Review and update the security awareness program annually to address new threats.
  • Include threats and vulnerabilities in security awareness training that could impact CDE security.
  • Define the frequency of training for incident response personnel based on targeted risk analysis.
  • Implement incident response procedures for the detection of unexpected storage of PAN.

Operational responsibilities for this step include the following:

  • Support flexible PCI DSS requirements with targeted risk analysis.
  • Document and confirm PCI DSS scope annually and upon significant changes.
  • Include threats and vulnerabilities in security awareness training, including the acceptable use of end-user technologies.
  • Define the frequency of training for incident response personnel based on targeted risk analysis.
  • Implement incident response procedures for the detection of unexpected storage of PAN.

Implementing the updated PCI DSS 4.0 requirements is crucial for organizations to protect credit card data from unauthorized access. By following the guidelines outlined in this guide, organizations can enhance their network security, minimize data storage, encrypt sensitive information, restrict access, monitor systems, and support information security with effective policies and programs. Adhering to these measures will help mitigate the risk of credit card data falling into the wrong hands and ensure compliance with the latest PCI DSS standards.

Article Dean Dorton

For a long time, multi-factor authentication (MFA) has been considered one of the best ways to protect an organization’s assets. So much so that in 2019, Microsoft released an article stating that MFA would prevent 99.9% of attacks on accounts.

Nowadays, while MFA is still a key aspect of cybersecurity for business as well as personal use, it is the not the cure-all that it once was. Bad actors have adapted their tactics and found ways to work around MFA security measures.

Why is MFA not Enough Anymore?

Multi-factor authentication uses a combination of multiple factors to assist with proving you are who you say you are. These factors include:

  1. Something you know – This is usually a password.
  2. Something you have – This can be using your phone to receive an SMS text, an authenticator app, etc.
  3. Something you are – This is usually a physical characteristic like a palm scan or a retina scan.

To have true multi-factor authentication, there must be at least two separate factors used in conjunction. For example, this might look like using a password alongside an authenticator app. In this scenario, a user would sign into their account with their username and password and then receive a prompt to either accept a push notification or enter a code to access the desired resources.

Recently, however, threat actors have adapted their tactics to work around the MFA workflow, meaning these standard MFA practices are no longer enough to protect users and their data.

What are Threat Actors Doing?

One of the tactics threat actors have been using is an AiTM framework, or an attacker-in-the-middle framework. Under this approach, the attacker inserts a fake landing page in between the user and the legitimate application. For example, they will pass a fake landing page to the end user for Office365 utilizing a phishing email. When the user enters their credentials and accepts the push or enters the MFA code, the attacker obtains both pieces of key information and can hijack the session.

Another tactic threat actors utilize is stealing session cookies from your browser. If you are authenticated to your email or other sensitive sites, the threat actor can use malware to steal your sessions and gain access to your personal data. SIM-swapping attacks are also common and take place when a threat actor social engineers your mobile carrier to allow them to swap their controlled SIM card with yours. From there, they can gain access to your number to steal any sort of MFA codes that may be sent via text message.

One of the more frequent attacks that Dean Dorton’s Cybersecurity team has observed among major corporations is “MFA fatigue”. This is when a threat actor gains access to your credentials either through phishing or other means (data breaches, password guessing, etc.) and then sends MFA pushes to your device until you are bothered enough that you accept it.

What Can We Do?

There are a few approaches you can take to further secure your MFA.

  1. Utilize more phish-resistant MFA methods. This could be by utilizing a hardware token, such as a YubiKey, or using additional challenges along with the push notification based off risk. An example of this would be Microsoft’s Number Challenges for high-risk sign-ins in which before the authentication is established, the user must provide a number populated on their screen to their device to sign in.
  2. Avoid using text messages as an additional factor if possible. SIM swapping attacks can occur rather easily and text messages are not an ideal and secure method for MFA codes.
  3. Ensure all devices are protected with endpoint security software to avoid malware-based attacks.
  4. If experiencing excessive MFA requests that you did not initiate, continue to deny them, change your password immediately and if there is an option in your authenticator software, report the attempts as fraudulent.

If you have further questions and need assistance with evaluating your current MFA solution, please reach out to Dean Dorton’s Cybersecurity Experts today.