Cybersecurity , Data Breach

Cequence Security's Larry Link on Defending the New Norm(SecurityEditor) • March 20, 2019     Larry Link, CEO of Cequence Security

In today's hyper-connected enterprise, organizations are at risk of two different types of attack. Larry Link, CEO of Cequence Security, explains how to defend at a platform level - without adding friction.

See Also: Live Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

In a video interview with Information Security Media Group at RSA Conference 2019 in San Francisco, Link discusses:

The risks of the hyper-connected enterprise; Characteristics of the two types of attacks; The fundamental shift necessary to defend.

Link is president and CEO of Cequence Security.

Cybercrime , Data Breach , DDoS

Hector Monsegur Seeks Redemption by Offering Advice to Security Executives• March 20, 2019    Hector Monsegur keynotes ISMG's Fraud Summit

For as long as Hector Monesgur has been online, he's broken the rules.

See Also: Live Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

There's the teenage curiosity that got him interested in computers, progressing from Windows 95 and AOL dial-up to Unix systems and learning Perl, which eventually led to his first hacks. There's his ability to become a highly-paid system admin without a college degree or a certification.

Then there's the hacktivism and association with the Anonymous collective and LulzSec, which trained their sights on governments and corporations around the world, including distributed denial of service attacks that targeted among others PBS, Sony Pictures, Fox, Visa, MasterCard, PayPal and numerous others. In his role, Monesgur served as one of the lead hackers who stole and publicized confidential information, defaced websites, and helped shut down the internet in Tunisia during the Arab Spring.

Monesgur also broke the rules hackers had created themselves, including avoiding publicity. Eventually, he broke the ultimate rule: He cooperated with the FBI and turned on Anonymous and others.

"It was kind of against the ideas of the hackers and e-zines and the literature that was passed down from the 1980s to the 1990s, when I first got online. One of the first things I would read was that you should never attack the U.S. government - that's one. The second was never let anyone know what you are doing. And I kind of violated both of those," Monesgur told the Information Security Media's Group New York City Fraud Summit on March 19, as the event's keynote speaker.

Following his arrest and incarceration in federal prison several years ago, Monesgur has been on a redemption tour. He's spoken about his past experiences and how he lived with the consequences of his decision. As the chief researcher at Rhino Security Labs, the hacker once known as "Sabu" is now offering better security for corporate clients.

"But I do want to put out a disclaimer. I'm not here to glorify the past. I'm not proud of it and I'm actually very glad that I have made it this far and I have been able to get back to the industry and get working for my family," Monesgur said.

Persistence Is Key

During his talk on Tuesday, Monesgur used examples from his past hacking activities to illustrate a point: Attackers don't give up once a target is picked. It's a rule that Monesgur followed and it shows why persistence is key to understanding better cybersecurity practices.

"Attackers will get you regardless. You can have all the vendors and software you need ... The attacker is not going away, especially if they are focused on you. It's good to have insight and a perspective on this to move forward," Monesgur said.

In an interview with ISMG, Monesgur explained that many of the problems he sees with clients now center around asset management and not knowing what's on the network. As a hacker, Monesgur would spend weeks gathering intelligence about targets, noting what assets were sitting on these networks and what misconfigurations could be exploited.

"Not only do companies have problems with the external side of their security posture but also the internal side of their security posture," Monesgur said. "In many cases, they don't really know what they are running online. We're not even taking about shadow IT or something similar where you have employees coming in with different devices and are running devices that are not vetted or authenticated or given permission to access the network."

Another developing issue he sees: Insider threats.

"You also have things like insider threats, which is going to be a bigger problem going forward because there's no way to really stop that. Even if you were able to implement a DLP or data loss prevention software, there are still ways to circumvent those technologies," Monesgur said.

More recently, Monesgur and his colleagues have started to see the effects that new issues, such as DevOps, can have on enterprise security.

" What we do, when we start auditing a network for asset management, we are falling right into the whole DevOps slash security problem," Monesgur told ISMG. "It's a whole different beast. A lot of organizations that are bringing in-house developers, they are really opening the doors without really putting emphasis on security policies. Believe it or not, you can have a really secure infrastructure elsewhere, but then the DevOps team or the developers department starts bashing holes with ... weak passwords, public GitHub repositories, access to S3 buckets everywhere and permissions are a problem."

Why Trust A Hacker?

The one question that follows Monesgur around is of trust.

In conversation with ISMG's Senior Vice President for Editorial Tom Field, Monesgur was asked if he could be trusted. He did serve almost a year in federal prison and could have faced a maximum sentence of 124 years under sentencing guidelines if found guilty on all counts, although, in reality, he faced between five to 10 years.

His cooperation helped, but that meant turning on his former Anonymous collaborators, a decision that continues to impact him, as hackers occasionally disrupt his public appearances. However, reflecting on the possible loss of his family and a desire for redemption shows that anyone can change.

"It's all about the person's merit ... not everyone is a lifelong career criminal. Sometimes people make mistakes and they deviate and they make decisions without thinking about consequences and I was one of those individuals. Once I was in prison and I lost my family temporarily, I had made the revelation at the end of the day that this is not worth it and there's more to life," Monesgur said.

At the same time, his story holds lessons for CISOs and other security executives looking to protect against cyberattacks now.

"We do have a skill and a talent shortage. Former hackers have the skills and a talent. I'm not saying you have to hire them, but I am saying you should entertain the interview," Monesgur said. "At the end of the day, it's becoming harder to find workers who can follow your policy, enforce your policy and even understand your policies, including implementation and asset management, and developing documentation for your employees and educating employees that are not that technically savvy. It's a broad industry that is still in its infancy and we don't have enough workers."

Application Security , Governance , Next-Generation Technologies & Secure Development

Craig Goodwin of CDK Global on Adding Security to Development(SecurityEditor) • March 20, 2019     Craig Goodwin, CSO, CDK Global LLC

As chief security officer of CDK Global LLC, Craig Goodwin has been part of the rollout of a new API platform that he believes will revolutionize automotive purchasing. So, what's his perspective on security's role in application DevOps?

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

In a video interview with Information Security Media Group at RSA Conference 2019 in San Francisco, Goodwin discusses:

Security's role in development; How the CISO can impact product security; How a CISO can build or repair a security function.

Goodman is vice president and CSO of CDK Global LLC, an automotive technology company..

Cybersecurity , Endpoint Security

Agency Receives Critique on Draft of Premarket Medical Device Cyber Guidance Update(HealthInfoSec) • March 20, 2019    

The Food and Drug Administration is generally on the right track in updating guidance for the cybersecurity of premarket medical devices. But various changes are needed, according to some of the three dozen-plus healthcare sector companies and groups recently submitting feedback to the agency.

See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys

Some of the associations submitting comments on FDA's draft guidance suggested modifications to the agency's call for a "cybersecurity bill of materials," or CBOM, that medical device makers would need to submit to the FDA for premarket review. Some also critiqued FDA's proposal to define two tiers of medical devices based on their cybersecurity risk (see FDA Calls for Cybersecurity Bill of Materials).

The FDA had requested comment by March 18 on its "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," which was issued last October. That draft premarket guidance is a significant refresh of FDA's 2014 guidance, the agency noted last fall.

Nearly 40 groups and companies submitted comments on the draft guidance by the FDA's March 18 deadline, according to the Regulations.gov website. FDA will review the comments before issuing a final version of the guidance.

Cybersecurity Bill of Materials

Under the FDA's proposals, medical device makers would submit to the agency before devices are marketed a CBOM that would include a list of commercial, open source and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities, the draft guidance says.

Many of the associations representing healthcare provider organizations were generally supportive of the CBOM proposal. "Our members have a significant need for this information, which is crucial to evaluating threats and risks, as well as undertaking mitigation," wrote the Greater New York Hospital Association in its comments.

Kaiser Permanente, the largest private integrated healthcare delivery system in the U.S., with 12.2 million members in eight states and the District of Columbia, noted that "the introduction of a Cybersecurity Bill of Materials as part of the risk management methodology will significantly improve medical device purchasing and maintenance decisions."

However, some commenters - including some associations representing medical device makers - suggested that the FDA's definition of a CBOM that includes hardware components would be too challenging to implement.

"FDA should reference a 'software bill of materials,' instead of a CBOM, and define SBOM as 'a list of commercial off-the-shelf software or open source software components that are included in the medical device software, limited to version and build," wrote the Advanced Medical Technology Association, or AdvaMed, which represents medical technology companies.

"Providing and maintaining a bill of materials that includes hardware presents unique challenges compared to software-only bill of materials, some of which are outside the immediate control of the manufacturer," AdvaMed wrote.

For example, if components are sourced from a supplier, it may not be possible to obtain a list of all hardware subcomponents, as suppliers may be unwilling or unable to provide such information, AdvaMed contends. "If the BOM were to include all software and all hardware down to the lowest component level, the sheer amount of data provided will very likely work against the shared goal to prioritize, prevent and react to cybersecurity risks to protect patient health."

Medical device maker GE Healthcare offered a similar assessment, and also suggested that FDA focus its bill of materials proposal on software, not hardware components.

"We note that vulnerabilities such as Spectre and Meltdown occurred at the level of CPU," GE Healthcare wrote.

"At this level the bill of materials would include hundreds of programmable chipsets embedded in motherboards, peripherals, and power distribution units within a single general-purpose workstation-class computer. We do not see value for healthcare delivery organizations in proactive customer disclosure and purchasing control at this level, even in the event of another vulnerability such as Spectre."

Tiers of Risk

In the draft guidance, the FDA proposes defining two tiers of devices based on their cybersecurity risk.

Tier 1, or "higher cybersecurity risk" products include devices capable of connecting - wired or wirelessly - to another medical or non-medical product, or to a network or the Internet. In addition, a cybersecurity incident affecting these devices could directly result in patient harm to multiple patients, FDA writes in the draft guidance.

Some examples of Tier 1 devices are implantable cardiac devices, such as defibrillators and pacemakers; infusion and insulin pumps; and the supporting connected systems that interact with these devices, such as home monitors and those with command and control functionality such as programmers, the FDA proposes.

Tier 2, or "standard cybersecurity risk" medical devices are those that don't meet the criteria for tier 1.

Some of the commenters were critical of FDA's cyber risk tier proposals.

"We find this proposed two-tier framework confusing and unnecessary given its superficial similarity to FDA's risk classification scheme for medical devices," AdvaMed wrote.

"There are significant differences between device types that could fit within the proposed tiers. For example, small implanted medical devices, such as ICDs and pacemakers, have significantly more engineering constraints limiting their hardware and software capabilities when compared to larger medical devices used, for example, in a hospital setting," the group wrote.

"We believe FDA should remove the two-tiered approach in favor of a single risk-based approach that addresses the agency's cybersecurity expectations based on the exploitability of a device vulnerability and the severity of patient harm - if exploited."

While AdvaMed argued against FDA's draft two-tier risk approach, GE Healthcare proposed FDA add a third tier.

"We suggest that the addition of an explicit criteria for an additional Tier 3 for 'low cybersecurity risk' [that] may make the entire tiering system more usable," GE Healthcare wrote.

"For example, a device whose security threats are limited to impact only one device at a time by requiring physical access to exploit could be an example of a Tier 3 low cybersecurity risk."

But it wasn't only medical device makers that found the FDA's draft cybersecurity risk tier proposals lacking.

"We recommend FDA expand the discussion of device tiers to address the responsibility of all stakeholders to ensure security of and risk mitigation of medical devices exploiting network vulnerabilities," Kaiser Permanente wrote.

"Devices can be risk vectors for the enterprise and patients without causing direct harm. For example, a network security vulnerability in a device could allow exposure and/or modification of patient data in the electronic medical record resulting in patient harm indirectly," the organization wrote.

Other Concerns

Some groups submitting comments also offered up other suggestions about actions FDA should consider taking for improving medical device cybersecurity.

The College of Healthcare Information Management Executive suggests FDA rethink its definition of medical device in the context of cybersecurity. "The definition should recognize that medical devices are part of an overall ecosystem which includes but is not limited to networks, switches, firewalls, applications and other components that come with 'medical devices'," CHIME - an association of healthcare CIOs and CISOs - wrote.

"Many of our members continue to be confronted with some manufacturers who refuse to take action on known vulnerabilities choosing either to categorize them as 'controlled risks' or saying they will wait until the FDA recalls a device," CHIME complained.

"For example, many of our members still report that patch MS17-010 - the patch that protects against WannaCry - has still not been deployed to certain medical devices due to the manufacturers classifying that vulnerability as a controlled risk," CHIME wrote.

This situation continues two years after the global ransomware attacks involving WannaCry and NotPetya CHIME adds.

"From our perspective both of these scenarios are unacceptable. Importantly, we believe that the FDA must be as explicit as possible with manufacturers around their expectations. Without clear direction to the manufacturers about what is required, the burden of proof for demonstrating a standard has been met and devices are secure will be shouldered by providers."