Information is vital to any small and medium size business. Without information the business cannot function. Therefore, it is necessary to protect and safeguard information, in particular confidential and sensitive information. The following steps are 5 Questions all CEOs and Business Units should ask before implementing a framework for CyberSecurity.
1) What is the current level and business impact of cyber risks to our company?
What is our plan to address identified risks?
2) How is our leadership team informed about the current level and business impact of
cyber risks to our company?
3) Does our business have a cybersecurity program? How does that program apply
industry standards and best practices?
4) How many and what types of cyber incidents do we detect on a regular basis?
What is the threshold for notifying our leadership team?
5) How comprehensive is our cyber incident response plan? How often is the plan
HHS will soon launch its own version of the National Cybersecurity and Communications Integration Center to improve healthcare cybersecurity measures.Source: Thinkstock
May 10, 2017 - HHS plans to create its own version of the National Cybersecurity and Communications Integration Center (NCCIC) in an effort to create stronger healthcare cybersecurity, according to a Federal News Radio report.
HHS Chief Information Security Officer Christopher Wlaschin explained at the 2017 ACT-IAC Mobile Health Forum that the Health Cybersecurity and Communications Integration Center (HCCIC) should reach initial operating capability around the end of June.
There is lots of “noise” around healthcare cybersecurity, Wlaschin said. HHS will provide grants to the National Health Information Sharing and Analysis Center (NH-ISAC) to encourage a broad participation in an effort to reduce that noise.
Healthcare needs to analyze the privacy and security threats and then deliver best practices, including to smaller providers, he added. HCCIC will also be a collaborative partnership, and a good opportunity to work with mobile app developers to ensure that patient data remains secure on numerous platforms.
“A patient doesn’t want to sign … a long electronic consent form, especially when they’re in crisis,” Wlaschin said at the forum. “They want access to healthcare. The services, the apps, the systems we design and approve, should deliver that.”
The NCCIC is part of the Department of Homeland Security (DHS), and is described as a “a 24x7 cyber situational awareness, incident response, and management center.”
“The NCCIC shares information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations,” the DHS website reads. “Cyber and industrial control systems users can subscribe to information products, feeds, and services at no cost.”
While HCCIC could greatly benefit the healthcare industry, HHS should also take note of areas in which the NCCIC was found it could improve upon.
A February 2017 Government Accountability Office (GAO) report found that DHS took important steps to improve its cybersecurity but that there were still factors impeding its efficiency and effectiveness.
For example, the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015 require NCCIC to perform 11 cybersecurity-related functions. This includes sharing information and enabling real-time actions to address cybersecurity risks and incidents at federal and non-federal entities.
GAO explained that those functions must adhere to nine implementing principles but that NCCIC has not yet determined how those principles apply to all 11 functions. Several instances were also identified where cybersecurity functions were not performed in accordance with the principles.
“Until NCCIC takes steps to overcome these impediments, it may not be able to efficiently perform its cybersecurity functions and assist federal and nonfederal entities in identifying cyber-based threats, mitigating vulnerabilities, and managing cyber risks,” the report stated.
The United States Computer Emergency Readiness Team (US-CERT) is also one of the four branches under NCCIC. US-CERT has previously been hailed by OCR as a key way for healthcare to improve its cybersecurity measures. The government, private sector, and international network defense communities must have stronger collaboration and information sharing to fight against evolving threats, OCR said in its February 2017 cybersecurity newsletter.
“US-CERT is in a unique position to inform covered entities and business associates about their cybersecurity efforts as well as benefit from information sharing when a covered entity or business associate experiences a cybersecurity incident,” OCR stated. “Covered entities should report to USCERT any suspicious activity, including cybersecurity incidents, cyber threat indicators and defensive measures, phishing incidents, malware, and software vulnerabilities.”
Furthermore, covered entities and business associates should monitor the US-CERT website for any cybersecurity reports or vulnerabilities. “Covered entities and business associates can leverage this information as part of their Security Management Process 1 under HIPAA (see 45 CFR § 164.308(a)(1)) to help ensure the confidentiality, integrity and availability of electronic protected health information,” OCR noted.
As ransomware, DDoS attacks, and other threats against data security in healthcare increase, organizations need to take a comprehensive approach to keeping data protected.Source: Thinkstock
There was a recent Forbes article that analyzed the findings from the Office for Civil Rights (OCR), which looked at the total number of breaches and impacted people in 2015. So, what did OCR find?
In 2015, there were 253 healthcare breaches, impacting 500 people or more – with a combined loss topping out at 112 million records. To put that in perspective, the amount of breached records potentially impacted about 35 percent of the US population.
That said, it’s pretty clear that data security in the healthcare world continues to be a growing concern.
The digitization of the modern healthcare organization has fueled bad guys to go after more digital records. As a result, breaches are increasing, the value of data continues to go up, and security professionals are constantly battling to secure their data centers.
However, data and healthcare security do not have to be an overwhelmingly challenging process. In fact, over-thinking and complicating security can actually lead to holes and issues.
Leading security experts look at security from a truly holistic, big picture perspective to create easier security models for their clients. This can include automation, better auditing/logging, and improved data security mechanisms.
So, in a world of ransomware, DDoS attacks, and lost physical devices, here are three key steps in enabling a better security strategy in today’s digital world.
CONNECT WITH YOUR USERSThis is such an important step and process. Leading healthcare security teams regularly meet and work with end-users from all departments within their organization. And, in working with these users, they learn quite a bit. They can see where processes lack efficiency, where there are random peripheral devices, how users are interacting with critical applications, where data is actually being stored, and what can be done to make the IT interaction process even better. Remember, users complain when there are issues. They don’t often let you know when things are working. It’s in those very situations that IT and security can become complacent; waiting for something to break. Connecting with your users prevents this from happening and allows security engineers to spot issues, even when things are “working.”
HAVE A COMPLETE BACKUP STRATEGY IN PLACEI’ve seen some of the worst ransomware events turn into nothing because a healthcare organization had a fantastic backup strategy in place. There’s a very simple rule to follow when it comes to data security and backup: 3-2-1. That is – at least three different copies of your backup, stored on two different types of media, and at least one backup must be offsite. With that strategy, you must now test your backup. Make sure you can recover quickly. Just because your backup is working doesn’t mean you can restore efficiently. Legacy backup and tape systems can take a long time to recover. Some healthcare organizations are now leveraging encrypted all-flash arrays for super-fast backup and recovery. Furthermore, some are leveraging cloud, which are capable of housing PHI data. A good backup strategy can get you out of a lot of really bad situations. Again, just make sure it wall works well.
USE ADAPTIVE, CONTEXTUAL SECURITY TECHNOLOGIESThere are so many powerful tools that can help automate IT, enable better security practices, and lock down critical data and apps. Remember, there’s no silver bullet when it comes to security. This means that you need to look at supportive security systems to build out your overall security strategies. Contextual security helps you question and interrogate users, devices, services, and more that are coming into your environment. For example, many healthcare organizations already leverage Citrix. Do you have a NetScaler? Are you leveraging its contextual interrogation capabilities around remote users coming in? You can specify granular parameters like who is the user, what device are they coming in from, is it jailbroken, is the connection secure, is it a public WiFi, and much more. Or, if you already have Cisco, are you using the Identity Services Engine? Did you know that you can integrate these platforms together with systems like the NetScaler?
Now, imagine an automated ecosystem that allows users to security pass externally and internally within the network. And, throughout the entire process you have visibility into user interaction, what they’re accessing, and how data is flowing. Furthermore, new types of end-point detection and response (EDR) systems are adding a direct compliment to end-user security. This means incorporating things like machine learning and even security AI. Get creative with the technologies you leverage and know that there are systems designed to make security more intelligent, automated, and easier to integrate.
Again, healthcare data security doesn’t have to be a complicated process. Too often we over-engineer security solutions only to lose track of configurations and create issues around agility. Healthcare organizations must follow best practices when storing and distributing PHI or sensitive pieces of information.
The digitization of the healthcare world is inevitable; it’ll be up to security teams to ensure all of this digital content stays safe and resilient. Most of all, don’t take the digital security journey on your own. It’s not just about securing a network or a server any longer.
We now have to understand cloud delivery models, how users interact with data, and how to optimize the delivery of critical resources. Leverage key partners to help you create your own digital security strategy that takes users, their data, and your entire strategy into consideration.
CLICK HERE for link to original article
The second annual HIMSS and Symantec risk management study shows that healthcare cybersecurity continues to be a priority, but more change is necessary.Source: Thinkstock
February 22, 2017 - Healthcare organizations are slowly working to increase their healthcare cybersecurity governance, staffing, and budgetary resources, but there is still room for improvement, according to a recent study.
The second annual HIMSS Analytics HIT Security and Risk Management Study found that the percentage of respondents who spend 7 percent to 10 percent of their IT budget on cybersecurity increased from 10 percent to 24 percent from 2015 to 2016.
The survey targeted healthcare executives, the C-Suite, business and IT leaders, and clinical leadership.
Furthermore, the distribution of employees allocated to IT security increased in 2016. In 2015, eight percent of organizations had 11 to 20 employees dedicated to IT security, while 11 percent of companies had that many IT security employees in 2016.
However, IT budgets and staffing issues are still seen as the biggest barriers to having stronger healthcare cybersecurity programs, noted Symantec Health IT Officer David Finn, CISA, CISM, CRISC.
“The good news is we’ve seen more adoption of cybersecurity frameworks,” Finn told HealthITSecurity.com. “There’s an uptick in NIST and HITRUST as well as [Information Technology Infrastructure Library], which took a little bigger jump.”
Specifically, 61 percent of respondents said they are using the NIST Cybersecurity Framework, while 36 percent said they utilize HITRUST. Approximately one-third – 36 percent – also reported that they use ITIL.
“The importance of a cybersecurity framework, particularly if it’s a risk-based framework, is you begin to measure your progress in terms of risk to the organization,” Finn explained. “Whether it’s going up, or whether it’s going down, you have a metric for looking at it.”
Finn added that there is still disconnect between the “business” and IT sides of healthcare. On average, clinical and business respondents report much higher confidence in their organization's cyber attack preparedness than their IT and security counterparts.
Additionally, business leaders more commonly view cybersecurity as a business risk issue, whereas clinical and IT leaders view it as a HIPAA compliance issue.
Historically in healthcare, security has been viewed as a HIPAA compliance issue,” he said. “The intent was really to check the boxes around the Security Rule and around the Privacy Rule. This year when we asked people what the drivers were around IT security, for the business users, risk assessment became the number one driver for doing security.”
Not only was that a significant change, but it shows the gap between the clinical workers and the IT/security workers, Finn stated.
“It means that the ransomware attacks we had last year, the shut down and slow down of clinical operations, and the impacts to patient care, people are now starting to wake up to the fact that security is really a business risk and not just an IT risk and responsibility,” he stressed.
The survey found that 91.7 percent of business respondents said that risk assessments were the key driver decisions on where to invest in IT security. Approximately 71 percent of clinical respondents cited risk assessments as the main driver, while 66 percent of IT respondents said the same.
The majority of clinical respondents – 81 percent – reported that HIPAA compliance was the main driver for deciding where to invest in IT security. Conversely, three-quarters of business respondents cited HIPAA compliance, while 76 percent of IT respondents did so.
THE NEXT EVOLUTION OF THE HEALTHCARE CISOFinn noted that another key takeaway from the survey was that two-thirds of participating organizations have CISO roles, which most often report to the CIO.
“We’ve started to staff up security, but the problem is we still tend to think of security as a technical/IT issue,” he pointed out. “A lot of security people today, they may be great with firewalls, they understand antivirus, but this is a bigger issue.”
For example, more business leaders are realizing that cybersecurity can be a business risk. If an organization is hit with ransomware, and an EMR is affected, that entity may not be able to operate as a healthcare provider, Finn explained.
“My concern here is that our tech people still don’t talk healthcare,” he said. “They may be great at technology, but we’re going to see another evolution in the CISO role from someone who’s focused on security, to someone who’s really more focused on the business risk.”
That way, the CISO can go talk about business risk with a CFO who is going to understand the financial impact if an organization can’t see patients for half a day because of an outage from ransomware.
“The next evolution will be adopting this as a business risk model and getting security people who understand not only the technical security but the business needs and requirements.”
Additionally, the old approach in security where there were separate tools will no longer be good enough to keep information secure, Finn maintained.
“What we need to do as an industry is start connecting all these dots,” he said. “Anti-virus needs to talk with your authentication systems, and your identification systems need to talk with your encryption systems. All of your computers need to recognize bad files, not just ones that are on the network, but something connected to the internet.”
Finn called it “population health for data,” and explained that the more than healthcare organizations know about their data, the better care they can provide for that data.
“We need a comprehensive view of our risk and our security posture.”
For original article Click HERE
Access information about how to comply with HIPAA to ensure the privacy of each patient’s medical information.
HIPAA Privacy & Security Resources
Manage your compliance with required HIPAA privacy and security rules and learn how to participate in a formal HIPAA compliance plan.
HIPAA Administrative Simplification
Understand the HIPAA provisions that ensure safe, efficient and consistent electronic communication across the U.S. health care system.
Read about the Department of Health and Human Services periodic audits to ensure that covered entities comply with HIPAA regulations.
HIPAA Privacy Rule
Read about how HIPAA safeguards personal health information and allows patients to examine and correct their health records.
HIPAA Security Rule & Risk Analysis
Understand the HIPAA rule requiring physicians to protect patients' electronic health information, ensuring its confidentiality and security.
HIPAA Violations & Enforcement
Be advised how the Department of Health and Human Services enforces HIPAA's privacy and security rules and how it handles violations.
HIPAA Breach Notification Rule
Learn the specifics of how HIPAA requires entities to notify patients when the privacy of their health information has been compromised.
Copyright 1995 - 2016 American Medical Association. All rights reserved.
Since cybercrime laws lag behind technology, lawyers are constantly seeking creative ways to stretch old laws to fit new crimes, such as the latest - comparing the movie-sharing app Popcorn Time to a burglar’s tool in order to press criminal charges.
IT Resume Makeover: How to add flavor to a bland resume
Don't count on your 'plain vanilla' resume to get you noticed - your resume needs a personal flavor to
Lawyers for an Adam Sandler movie are arguing that Popcorn Time performs the same function as burglars’ tools in order “to commit or facilitate … a theft by physical taking,” language used in an old Oregon law about traditional burglary.
The lawyers say Popcorn Time lets users violate the movie’s copyrights by enabling downloads of pirated copies, and so they are suing for the civil crime of copyright infringement.
But they are also suggesting that by merely having copies of Popcorn Time on their computers, users are violating an Oregon criminal law that makes it illegal to possess burglar tools. Popcorn Time is similar to burglary tools, they say, because its only purpose is to commit thefts, and that the app itself fits the legal definition of burglary tool: “For purposes of this section, “burglary tool or theft device” means ... [any] instrument or other article adapted or designed for committing or facilitating a ... theft by a physical taking,” the law reads.
INSIDER: 5 ways to prepare for Internet of Things security threatsThe suit is being brought by Cobbler Nevada LLC, which owns rights to the movie “The Cobbler”. They want to sue 11 Oregon people, identified only as John Does, whom they say have violated the copyright, and that includes bringing the misdemeanor charge of possessing burglary-tools.
The lawyers themselves admit this might be a stretch. “It is acknowledged that the transfer of data, storing of the physical data locally on a hard drive and facilitation and redistribution of the stolen data to others may or may not be a 'physical taking' under Oregon law”, the suit says. But they are still willing to give it a try.
Their task is complicated by the fact that they don’t know the real names of the 11 John Does, although part of the lawsuit seeks them from their ISP Comcast. Cobble Nevada LLC says it has traced use of copies of “The Cobbler” to IP addresses controlled by Comcast, and it wants the company to provide the names of the customers associated with those addresses.
Popcorn Time’s Web site describes the app as a “smart movies and TV Shows player. We are not holding any illegal materials with copyrighting.” Its FAQ says, in part, “Is this legal? Depends on where you're from, really. Once again: we're using torrents, so if you really care, you'd better google what the legal situation around these protocols where you live.”
It’s not the first time lawyers filing court action in cyber cases have stretched pre-Internet laws so they could apply them to cybercrime cases. For example, Microsoft pioneered several legal innovations to shut down botnets over the past five years, including a claim that a law allowing seizure of knockoff handbags from their manufacturers could be applied to take over command-and-control servers.
Its claim was that under an old law called the Lanham Act the use of Microsoft software and hence its copyright meant that Microsoft could seize the offending servers. A court agreed, and Microsoft used that authority to shut down servers used to support the Rustock botnet.
In a different case, Microsoft asserted that it had standing to ask permission to shut down an entire domain in order to get at the Kelihos botnet. The argument was that use of the domain violated the registrant’s agreement not to carry on criminal activity. Since the registrant was performing criminal acts and it was harming Microsoft, then Microsoft could take back the domain.
This story, "Legal teams keep bending old laws to fit cybercrimes" was originally published by Network World.
Tim Greene covers security and keeps an eye on Microsoft for Network World.
Malware masquerading as advertising is a growing problem, and the ad industry must figure out how to weed out scammers from legitimate companies.
As the practice of delivering malware through online ads becomes increasingly popular among cyber criminals, the advertising industry has to rethink how it handles online advertisements.
IT Resume Makeover: How to add flavor to a bland resume
Don't count on your 'plain vanilla' resume to get you noticed - your resume needs a personal flavor to
In the month of August alone, researchers at the antivirus firm Malwarebytes have found and reported several so-called malvertising campaigns, including the big campaign that inserted malicious ads into the ad network used by Yahoo and its subsites, such as News, Finance, and Games. The same bad actor also tricked the ad network used by eBay. Similar campaigns impacted visitors to dating site PlentyOfFish and the media content site for Australian telecommunications provider Telstra this week, and the same ad network displayed malicious ads on MSN, Malwarebytes said.
[ Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld's Security newsletter. ]The malvertising campaign that tripped up Yahoo.com visitors was the work of a Russian threat actor called Fessleak, said Patrick Belcher, director of security analytics at Invincea. Fessleak purchased video display advertisements via a real-time ad bidding network to target Yahoo visitors and infect them with click-fraud bots and deliver ransomware. It turns out Fessleak always includes Flash zero days in his campaigns, making it easier to target a large number of victims who would have no chance to patch those flaws.
The zero-day exploits from the Hacking Team, the maker of government surveillance software, breach becoming public last month "was a bonanza" for Fessleak, Belcher said. While Adobe has patched the vulnerabilities, users who have not yet applied the updates are susceptible to the attack.
The mechanics of malvertisingA malvertising campaign is essentially two parts: The advertisement itself, which typically redirects victims to a different website, and the attack website, which typically hosts an exploit kit, such as Angler or Nuclear.
The exploit kit is packed with several different attack methods and looks for unpatched software or other vulnerabilities to push the payload -- malware for click fraud and botnets, ransomware, and banking Trojans, to name a few types -- onto user machines. Exploit kits including Flash zero days are popular at the moment, Belcher said.
In the case of Telstra, visitors saw a malicious ad purporting to be a Lamborghini Gallardo for sale, but the shortened URL (via Google's link shortener) sent users to a separate website with a Nuclear exploit kit pushing a banking Trojan, according to Jerome Segura, a researcher with Malwarebytes.
The criminal doesn't really have a specific site or user group in mind when introducing malicious ads into the ad network, but rather a category of sites or a profile of a typical victim. The network decides when and on which site to display the ad, depending on the categories specified by the advertiser. Fessleak targets commerce sites, for example, but another popular target is the broadband category, which include sites owned by ISPs and telcos, such as Telstra, Belcher said.
Malvertising campaigns increased 325 percent in the past year, according to a report from Cyphort Labs this week. A similar report from Risk IQ found malvertising grew 260 percent in the first half of 2015 compared to the same period in 2014. And earlier this month, Invincea found malvertising as one of the biggest threats to endpoint security, causing an estimated $525 million in damages in the first six months of 2015. The findings prompted Belcher to dub June "the worst month of malvertising basically ever."
Tricking the ad networkTo start a campaign, the criminal first has to trick the ad network into accepting its advertisements. Many ad networks make it easy to get started as an advertiser, with an open enrollment form and a fairly low fee. If the attacker is using compromised credit card or money earned from other online scams, $400 or so is not a serious barrier to entry, Belcher said.
This easy access is why some of the smaller ad networks recently have banded together to establish best practices, such as banning open enrollment and imposing higher entry fees, he said. Requiring in-depth background checks and spending commitments as much as $5,000 a month generally stops the scammers.
"Malvertisers are notoriously cheap," Belcher said. They are trying to maximize their profits and don't want to pay higher fees monthly.
Another way malvertisers trick ad networks into treating them as legitimate advertisers is by initially showing clean, innocuous collateral. Once the ad network has approved the ads, the advertiser can swap in malicious ads pointing to an attack website without the network noticing. This is even easier if the advertiser is allowed to host ads on its own servers instead of on the ad networks' servers.
This lets malvertisers look at incoming IP addresses so that it knows to show the clean collateral to the ad networks' scanners and the malicious one to everyone else.
While some of the larger ad networks require all the ads to be hosted on their servers, that isn't always the case. The ad networks may not want to pay for the cost of serving up all the ads, or advertisers may want to keep the ads in order to collect better metrics. If the ads are all hosted by the network, it would be harder for the ads to be swapped, but the advertising industry as a whole hasn't moved toward that practice yet.
POPULAR ON CIO.COM
The industry recognizes malvertising problem and is working to establish best practices, Belcher said. It's not necessarily a technology problem, since the criminals are able to defeat the scanners and other mechanism in place. This is where best practices and new processes have to be in place to ensure only legitimate advertisers can get into the networks, he said.
The fact that Hacking Team's exploits were included in the kits used in the recent spree of malvertising attacks didn't surprise researchers, since kit maintainers regularly update their tools to include Flash zero days. Angler and Nuclear, both named in recent malvertising campaigns, are among the handful of exploit kits popular among cyber criminals today. In fact, Angler is one of the quickest to adopt newly revealed zero days into its list of attacks and was the first to weaponize zero days from Hacking Team.
Thanks to exploit kits, criminals no longer need to have a high level of skill to launch a campaign with sophisticated tools, said George Kurtz of Crowdstrike. "The marketplace lets you buy what you need," Kurtz said.
Forming a defenseMalvertising exploits normal Web behavior, where users go to websites and see advertisements alongside whatever content they are interested in, and as a result, it's a difficult attack vector to block. Enterprises and users should keep the operating system and installed software up to date with the latest patches so that exploit kits don't have easy flaws to target. Antimalware and other security software can check and block actual payloads as they are downloaded, so it's essential they are always up to date. Enterprises can adopt other tactics, such as whitelisting URLs, filtering URLs based on the Web reputation, or using technologies like secure Web gateways to analyze links in real time.
Turning off Flash in browsers and making all third-party plug-ins click-to-play stop some bad ads, but it's important to keep in mind that not all malvertising relies on Flash vulnerabilities. However, if the attack vector is relying on advertisements on the Web page, then it seems rational that the best way to protect against malvertisements is to use ad blockers so that none of the ads get delivered to the Web browser in the first place.
Advertisers don't like ad blockers, but they may need to reconsider their stance. Adobe and PageFair estimated loss of global revenue due to blocked advertisements in 2015 at more than $21.8 billion, and while their numbers may be biased, the fact remains that ad-blockers threaten the industry's bottom line.
But ad-blockers are increasingly popular. Adblock Plus, one of the better-known ad blockers, has seen download numbers between 2.5 million and 3 million per week, said Ben Williams, a spokesperson for Adblock Plus. The numbers went up in 2014 after a series of malvertising attacks against well-known brands and have been constant since then. "Just goes to show you that more and more people are aware of the dangers posed by renegade ads and know how to protect themselves against them," Williams said.
Ad-blockers ensure no ads -- good or bad -- reach the users. The advertising industry needs to figure out how to protect users from malicious ads proliferating and infecting millions of Internet users with malware. The industry doesn't need more reasons for people to dislike ads.
This story, "Who can stop malware? It starts with advertisers" was originally published byInfoWorld.
Fahmida Y. Rashid — Senior Writer
Fahmida Y. Rashid is a senior writer at InfoWorld, whose coverage focuses on information security.
Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers.
The team of German researchers found 56 million items of unprotected data in the applications it studied in detail, which included games, social networks, messaging, medical and bank transfer apps.
“In almost every category we found an app which has this vulnerability in it,” said Siegfried Rasthofer, part of the team from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.
Team leader Eric Bodden said the number of records affected “will likely be in the billions.”
Another security researcher working separately, Colombian Jheto Xekri, said he had also found the same flaw.
The problem, Bodden said, is in the way developers – those who write and sell the applications – authenticate users when storing their data in online databases.
Most such apps use services like Amazon’s Web Services or Facebook’s Parse to store, share or back up users’ data.
While such services offer ways for developers to protect the data, most choose the default option, based on a string of letters and numbers embedded in the software’s code, called a token.
Attackers, Bodden says, can easily extract and tweak those tokens in the app, which then gives them access to the private data of all users of that app stored on the server.
The researchers said they had no documented evidence that the vulnerability had been exploited.
The vulnerable applications, which they declined to name, number in the tens of thousands, and include some of the most popular on the Apple and Google app stores.
Rasthofer said all four companies had responded to their findings; he said Apple staff had told him on Monday that they would soon incorporate warnings to developers to double check their security settings before uploading apps to its App Store.
Google declined to comment, while Apple and Amazon did not respond to queries.
A Facebook spokesperson said that after researchers notified it of the vulnerability the company had been working with affected developers. She declined to provide details.
APP DEVELOPERS RESPONSIBLE
Facebook’s Parse lists among its customers some of the world’s biggest companies – all of which, Rasthofer said, were potentially affected.
Security researchers say mobile applications are more at risk of failing to secure users’ data than those running on desktop or laptop computers. This is partly because implementing stronger security is harder, and partly because developers are in a rush to release their apps, said Ibrahim Baggili, who runs a cybersecurity lab at the University of New Haven.
Others pointed to weaknesses in the ways apps transmit data. Bryce Boland, Asia Pacific chief technology offer at internet security company FireEye, said the report reflected deeper problems.
He said FireEye regularly found developers send users’ names and passwords unencrypted, “so it’s not surprising to find them storing them insecurely as well.”
Bodden likened his team’s discovery to the Heartbleed bug, a web-based vulnerability reported last year that left half a million web servers susceptible to data theft. Security researchers said this might be worse, since there was little users could do, and exploiting the vulnerability was easy.
“The amount of effort to compromise data by exploiting app vulnerabilities is far less than the effort to exploit Heartbleed,” said Toshendra Sharma, founder of Bombay-based mobile security company Wegilant.
Other security researchers say that while responsibility for weak authentication lies with those developing the apps, others in the chain should shoulder some of the blame.
“The truth is that there is plenty of fault to go around,” said Domingo Guerra, co-founder of mobile security company Appthority. Cloud providers and app stores, he said, should ensure best practices are implemented correctly and test apps for such holes.
SINGAPORE — Reuters
After three decades where managing endpoints was synonymous with imposing strict security on laptops, enterprises are about to face a much greater security challenge. IT leaders are asked to protect their enterprise data not just on smartphones and tablets, but while it travels through the Internet of Things (IoT), on connected cars, on smart TVs, and on smart watches and other wearable devices.The advent of the digital workplace is increasing the speed at which enterprise mobility and security are moving away from each other. Employees have become accustomed to working across multiple devices, to transferring files between devices, and to fast and fluid switching between their personal and professional worlds. In reality, protecting data with traditional endpoint management models is incompatible with mobile operating systems and their application-centric economies.
Three factors need to be addressed to bridge the gap between enterprise mobility and effective security for business information: people, process and technology.
People: Freedom plus accountability
Users bypass the legacy endpoint security models imposed on their mobile devices because they are incompatible with their need to mix business and personal life. The ones that comply feel disarmed and frustrated and simply miss out on the opportunities that the digital workplace can offer.
Security teams beware: If your potential solution results in a suboptimal user experience, your employees will turn toward privately owned devices and privately managed applications. The latter often leads to silent enterprise leaks: incidents that go unobserved when employees upload enterprise data to third-party clouds. Once leaked, the enterprise can neither track nor retrieve that data.
The way to make enterprise data more secure is to increase the level of user freedom, and at the same time, to hold users accountable and responsible for their actions. To increase accountability, organizations need to make what occurs on mobile devices part of the enterprise conversation, and to set clear security expectations.
Process: Organizational and cultural changes
Watch out that you don’t misinterpret risk and maintain organizational structures that are not designed for enterprise mobility.
Typically, the team managing mobility is decoupled from the team that traditionally manages the legacy endpoints. This requires organizational and culture changes.
Technology: Prevent shadow IT
It is difficult for businesses to impose management and security policies because the endpoint platforms are administered by the employees and are centered on applications, not networks
Organizations should move away from device lockdown as much as possible, but still treat all endpoints as untrusted ones. To prevent shadow IT by employees, focus on offering the same quality of experience through mobile-based solutions.
By focusing your efforts on providing solutions that are tailored for mobile use, looking at security from a tactical standpoint and favoring app-centric models, you can offer your workforce a system that will enable it to take its digital workplace with it, along with enterprise mobile security.
Dionisio Zumerle is a research director with Gartner, and he is speaking this week on mobile security threats at the Gartner Security and Risk Management Summit.