Dark web, what dark web? Tips for beating back hackers and savvy cybercriminals

Dark web, what dark web? Tips for beating back hackers and savvy cybercriminals by Tom Sullivan.  Available from <http://www.healthcareitnews.com/news/dark-web-what-dark-web-tips-beating-back-hackers-and-savvy-cybercriminals>. [October 10, 2016; 07:15 AM] Photo Credit: By Andersson18824 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

Don’t wait another day to create a cyberthreat intelligence sharing team. Delve into the web’s dangerous corners, exchange what you find, learn from banking and defense. Just don’t presume cyberthreats won’t happen to you.

Anytime a major security incident occurs whether in healthcare or elsewhere the cyberintelligence team at insurer Aetna springs into action.

“When a large batch of credentials is released to the public on the dark web or on a website like Pastebin, we apply analytics to identify credentials that may be the same as what members are currently using,” Aetna CISO Jim Routh said.

If Routh’s team spots a match, that means there’s enough of a possibility that the cybercriminals could try to use those credentials for nefarious purposes that Routh has to address the situation.

“Out of an abundance of caution, we will force a password reset to proactively protect those accounts,” Routh explained. “Then we look for similarities in user IDs that may apply to our top vendors and we alert any that are impacted.”

And that’s just to start.

More sophisticated than traditional security
It’s worth noting that Denise Anderson, executive director of the National Health Information Sharing and Analysis Center, otherwise known as NH-ISAC, described Aetna’s team as particularly strong and savvy compared with the current state of healthcare organizations.

In other words: Many CIOs and chief information security officers could learn a lot from Routh and company.

Routh, in fact, was the global head of application and mobile security for JP Morgan Chase and worked for American Express before signing on with Aetna.

Indeed, Anderson explained that banking and defense sectors are ahead of healthcare in cyberthreat intelligence sharing—healthcare was hardly even talking about cyber as recently as five years ago.

“Threat intelligence is a relatively new concept and term,” Anderson said. “Intelligence should influence the more granular day-to-day work like looking at IP addresses and subject lines in emails.”

Sharing makes it better
Healthcare organizations that have not yet established a cyberthreat intelligence program should not rest on the presumption that you won’t have a security incident.

Many a CISO has said that there are two types of information security professionals in healthcare: Those who have been attacked or hacked and those who just don’t know they have.

Even though threat intelligence sharing is relatively new to healthcare there are a fistful of best practices that forward-thinking security professionals are employing already.

A first step is to participate in the intelligence sharing community that already exists by becoming a member of the NH-ISAC Anderson runs, joining InfraGard, the joint FBI-private sector partnership, work with the U.S. Computer Emergency Readiness Team (US-CERT), Department of Homeland Security’s Cyber Information Sharing and Collaboration Program (DHS CISCP), among others.

Don’t settle on just one, either. Routh recommended cultivating multiple sources to achieve best results because each can uncover different information.

“Gather information and read, read and then read some more. Develop a way to consume the intelligence you receive and make it actionable,” said Dan Wiley, head of incident response and threat intelligence head at Check Point. “Context is key to intelligence. The only way you can provide context to intelligence is to layer your knowledge about your environment with the intelligence you receive from others.”

Consider it a community. Give back. Share what you know about threats, solutions, what works, what doesn’t, and recognize that attackers — whether they’re acting alone, as part of a criminal syndicate, or even state-sponsored bad actors — are growing increasing sophisticated.

Delve into the dark web
To truly grasp what CISOs and infosec professionals are up against, it’s necessary to understand the threat landscape and, to every extent possible, your enemies.

“Get your house in order before stepping out into the threat intelligence arena,” said Bob Chaput, CEO of Clearwater Compliance. “This team must have the ability to identify a cyber incident and shut it down before the entire IT infrastructure is compromised.”

That encompasses having an intelligence team, strategy, framework, plan and infrastructure in place to defend the fortress, and only then exploring the internet’s murkiest corners.

“Ensure that some of your sources are active in the dark web and apply economic analysis to behaviors of criminal syndicates that use the dark web,” Routh said.

These practices require more acuity than the daily grind of security and compliance.

NH-ISAC’s Anderson said that seasoned intelligence experts, many of whom come out of the military, have the expertise to gather information about Tactics, Techniques and Procedures (TPPs), tracking cybercriminals, following campaigns and understanding the motivations of bad actors.

Anderson noted that healthcare entities can either hire infosec professionals with that experience or outsource threat intelligence. Either way, she recommended looking to other industries to learn about their processes and procedures, glean insights from how they sold cyberthreat intelligence sharing programs and the money required to fund them to the C-suite, and what they have learned working with security vendors.

A powerful warrior: Patience
Threat intelligence is an evolving and ongoing process. Never ending, even.

Check Point’s Wiley went so far as it to call it a life-long learning process, while Chaput rattled off regular testing, keeping current with application and operating system vulnerabilities, continual awareness and training about imminent threats, among the tasks to conduct on a regular basis.

Anderson, for her part, pointed out that the banking and defense industries started out slowly and healthcare is poised to follow suit.

“Intelligence activities take time,” Aetna’s Routh said. “So be patient and choose trends and topics for the long term.”

Dark web, what dark web? Tips for beating back hackers and savvy cybercriminals by Tom Sullivan.  Available from <http://www.healthcareitnews.com/news/dark-web-what-dark-web-tips-beating-back-hackers-and-savvy-cybercriminals>. [October 10, 2016; 07:15 AM] Photo Credit: By Andersson18824 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

Here are some tips to improve your cybersecurity

Here are some tips to improve your cybersecurity Posted  by 

October is cybersecurity month.  As cyber hacks continue to increase, the landscape is changing in many ways.  Companies and business owners are taking on more responsibility to ensure their businesses are more protected or face legal and financial consequences.  We as individuals are required to be more conscientious when sharing our personal information. And, with the Internet of Things, our families, property and confidentiality are constantly being invaded.  So what can you do other than unplugging everything and crawling under a rock?  Below are a few simple tips for you, your business and your family to increase your protection.

Protect your business

If you’re a small to mid-sized business owner, you need to pay attention to your cybersecurity.  Particularly if you are a supplier to larger companies with sensitive information. More than 60 percent of data breeches occur at small- and medium-sized businesses. Remember that cyber hack some years ago at Target? Well, their network was tapped by going through the HVAC system networks.  That hack changed everything.  Banks and customers sued and the courts determined that Target had a duty to protect their customers and banks from criminal conduct of a third party.  This court case was followed by the Alpine Bank lawsuit that established that small companies are not immune from liability for their role in data breaches.  Scared yet?  It gets worse so read on. 

So how can you limit your business liability? 

• Protect your data.   Here are few tools to get you started. The Federal Communications Commission has a custom planning guide that you can create dependent upon your business needs.  The other is a 30-minute web-based class offered by the U.S. Small Business Administration (SBA).

• Ensure your suppliers are cyber savvy.  They should have a least the same level of security you have and yes, this should be more than nothing.  Your contracts should require suppliers to adhere to customary practices designed to provide safeguards.  Confirm this during the beginning of your relationship, not after something occurs.

• Consider cyber insurance. The National Association of Insurance Commissioners and the Center for Insurance Policy and Research has a good overall article on cyber risk management.

Protect yourself

In 2014, CNN Money reported that 47 percent of U.S. Adults had their personal information exposed by hackers, likely this number has increased during the past few years. The Identity Theft Resource Centerreported more than 28 million records exposed between the beginning of the year and September 8, 2016.  The industry response to its consumers seems to be a letter stating, sorry your security has been breached. Here is your free year of credit monitoring services.  While there isn’t a lot you can do to change their system, you can change the way you do things.

• Use complex different passwords.  This is like flossing your teeth.  Your dentist says do it every day and we either ignore them or hate doing it but in reality it really helps.  The easiest way to select more secure passwords is to create phrases that you’ll remember and then insert numbers and symbols inside them.  For instance, if your phrase is “My cat ate my two fish” the password becomes Mycatatemy2fish.  You then create more complexity by changing the values to symbols and numbers, “Myc^t^t3my2fish!”

• Shred your information.  Place the shredder by your door and shred your unneeded mail before it gets into the house. The benefit is you’ll also reduce clutter in your own environment.

• Set your online social media privacy settings.  Social media sites like Facebook, Pinterest, Instagram and Snap Chat all have security settings.  The University of Texas at Austin Center of Identity has information on all of these, the settings that are available, and what they mean.

Protect your family

What is this Internet of Things we all keep hearing about on the news and radio?  In a nutshell, the IoT is the network of products that all connect to the Internet in some way.  It’s your printer, your car, possibly your television, refrigerator, your security system and even your toaster.  All of these things are collecting data from you and your family.  That talking Barbie doll, it’s also listening along with other learning toys and gadgets like Amazon’s Alexa.  Now, are you getting scared?  In reality, it comes down the price to play.  If you want the convenience of the product, you may have to give up some of your information.  These days, big data is also big business.  Here are a few tips:

• Keep your software updated.  Those pesky updates often contain new code to help ward off prior computer breaches.

• Limit your apps on your phone to reputable companies. And read the reviews before downloading.

• When using social media, don’t take that quiz unless you’re really willing to give away your preferences and receive future spam.

• Really think about the privacy price you are paying and whether it’s worth value you personally receive before you buy that new fangled device.

Here are some tips to improve your cybersecurity Posted  by 

National Cyber Security Awareness Month: Why Your Online Security Matters

National Cyber Security Awareness Month: Why Your Online Security Matters by Julie Myhre-Nunes.  Available from < http://www.nextadvisor.com/blog/2016/10/05/national-cyber-security-awareness-month-why-your-online-security-matters/>. [

October is in full swing, which meansBreast Cancer Awareness Month is upon us and Halloween is closing in. Something more frightful than the ghouls in the night is a cybersecurity threat. To shed some light on this pressing and timely topic, the U.S. Department of Homeland Security teamed up with public and private partners like the National Cyber Security Alliance to create National Cyber Security Awareness Month, which is now in its 13th year. Because cybersecurity is so important, throughout the month of October we’re dishing out ways you can keep your online identity safe. In this post we dig into why cybersecurity matters and detail some simple steps you can take to secure your online information.

Why does cybersecurity matter?

The Internet is a major part of our lives. From our smartphones and computers to our TVs, home appliances and cars, we are almost always connected. As such, it’s important for consumers to know how to stay safe online and on their devices. While it’s true your information can be revealed through acompany’s data breach, a large part of cybersecurity is user habits, which is why it’s important to understand how you can protect yourself.

What can I do to protect myself online?

While there are a number of ways to protect your information online, these are some basic cybersecurity tips for all Internet users.

1. Create strong passwords and change them regularly. We’ve all heard it a million times — creating strong passwords is one of the best ways to protect your information online — but we often fail to remember that these passwords must be changed regularly (at least every six months) to remain secure. To help you remember when it’s time for a password change, mark your physical or digital calendar and set alerts. And remember that every password you create should be a unique one made up of at least eight characters (the longer, the better) and include a combination of letters, numbers and special characters. While you may be tempted to use personal information, like your child’s name, it’s best to steer clear of that because that information is relatively easy to find online, which can put your accounts at higher risk of being hacked. Cultural references are also not a good idea, as we learned from the list of 2015’s worst passwords. Having a hard time thinking of a new password? Try to connect two completely random words like foxtrotpizza, then change some letters to characters and add some extra characters to be safe. If you need some extra help remembering all of your unique passwords, you may want to consider a password manager, which can store all of your passwords in one secure, digital safe.

2. Use a trusted browser. An Internet browser is a user’s key to the web. As such, it’s especially important to make sure you’re choosing a trusted browser, such as Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge and Safari, when you connect to the Internet. Safe and trusted browsers allow you to access the web securely by warning you of potentially harmful websites before you enter them, as a number of browsers have build-in malware protection. Similarly, they clearly let you know if you’re visiting a secure site, meaning the URL starts with HTTPS, by displaying a lock or green color at the beginning of the URL, which is essential to know before you log into your account or enter any of your personal information.

3. Don’t overshare. A large number of us live our lives on social media, sharing some of our special life moments with people we (hopefully) know in real life. Although sharing can be a fun activity, it can also be an exposing one. That’s why it’s important to know how to responsibly share online by setting strict privacy settings, turning off geolocation and knowing your social media friends in real life. After all, oversharing your information with a stranger can reveal not only information about your home or place of work, but also expose information about your personal life that can be used to unlock your security questions and even reveal your passwords if you opt to use something like your pet’s name, which we don’t recommend. When you’re deciding what to share online, ask yourself if this is information you’d share with someone you just met or someone you don’t know that well. If it’s not, you may want to considering texting or emailing the news to a couple of family members or friends instead of sharing with all of your online friends.

4. Know which sites have your information. It’s no secret that we’re accustomed to passing out our information online. From shopping and checking our credit card statements to posting photos and sending an email, most of us are fluent on how to do this online. And since so much of our lives is digital, we should be aware of who we give our personal information out to, especially since security breaches are more and more common these days. Tracking down all of the sites that have your information stored can be a challenge, so it’s best to start with the ones you know, then look into the ones that email you — if they have your email, you may have created an account with them in the past. If you haven’t used a service or website for over a year, you may want to disable or delete your account — if it’s not clear how you can do this, contact the site’s customer support team and they should be able to help you. Identity theft protection services may also help you keep tabs on where your information appears, as most of the top-rated services do regular scans of the Internet black market as well as monitor your information on public records and people search websites. As an added bonus, most ofthese services offer free trials that allow you to test out the service before you make a financial commitment, which can be a good way for you to locate where your information appears online, then cancel if you don’t see the value in the service.

5. Be skeptical of unfamiliar emails, texts and links. Scammers work year-round to try to steal the personal information or money of unsuspecting victims, which is why it’s important for you to always be on alert. Although scammers have used email-related methods in the past to spam consumers with scammy links designed to steal their identity, they have more recently been known to text their victims posing as a friend looking to share a funny video or news story, which is part of the reason whymillennials are the most likely to fall for a scam. To prevent falling for a scam, you’ll want to be skeptical of any emails or texts you receive from unfamiliar senders. Never click on any links sent in these messages, and if you’re ever unsure of a link you receive from a number you do recognize, contact the person through email or call them to find out if they really sent you the link. If not, delete that text immediately and report it to the FTC. While there is usually some sort of ongoing email/text scam going on, consumers should also be aware of seasonal scams, like voting scams during the election andcharity scams during the holidays. Follow our scams blog to learn more about the newest scams.

National Cyber Security Awareness Month: Why Your Online Security Matters by Julie Myhre-Nunes.  Available from < http://www.nextadvisor.com/blog/2016/10/05/national-cyber-security-awareness-month-why-your-online-security-matters/>. [

Safeguard Your “Digital Hygiene”

Safeguard Your “Digital Hygiene” by Rich Barlow.  Available from <https://www.bu.edu/today/2016/personal-information-security/>. [10.03.2016] Photo Courtesy of iStock

October is National Cyber Security Awareness Month, which the University is observing, appropriately enough, by increasing your security.

BU’s Information Services & Technology has erected a so-called perimeter firewall, a monitor programmed to block unauthorized access to the campus data network. (Find more information here.) Your devices and data fall under this cyber-shield whenever you connect to the network, although it can’t protect you if unauthorized parties gain your password or access to your online accounts. That’s where personal “digital hygiene” comes in.

You—most of you, anyway—wouldn’t go through a day without showering, brushing you teeth, or washing your hands. Eric Jacobsen (CAS’93, MET’03), director of information security, predicts future generations will be as vigilant about digital hygiene, which he says is “understanding the things you need to make habits to take care of yourself and your identity. It includes protecting your online presence and your internet-connected devices through good security practices, and managing the information you share about yourself.”

BU can help, not just through techie measures like the firewall, but with retro strategies such as paper shredding and throwing away old computer equipment. This week, the University will run its sixth annual program of shredding personal documents and destroying unwanted hard drives. Students, faculty, and staff may bring their disposable documents and hard drives to three sessions: tomorrow, Tuesday, October 4, from 9 a.m. to noon, in the parking lot behind Agganis Arena; Wednesday, October 5, from 10 a.m. to 1 p.m., in front of the Talbot Building, 715 Albany St., on the Medical Campus; and Thursday, October 6, from 9 a.m. to noon, in the Granby Street parking lot on the Charles River Campus east.

Jacobsen offers these additional tips for keeping personal information safe:

  • Frequent updates of your system and applications are a good idea. Automatic updates on your devices can help with this. “Most security patches are released in response to publicly known vulnerabilities,” Jacobsen says, “and until you apply that patch, your devices are at risk.”
  • Never, never, never give out your password. “Passwords are the first and often the last line of defense for your personal information,” he says, and no one should be asking for them. If you get an email asking you to email back your password, think one thing: Scam.
  • Putting a PIN or password on mobile devices, like phones and tablets, ensures that their data will be protected if you lose them. “Even the federal government with all its resources has trouble accessing devices that are protected by a simple code,” Jacobsen says.
  • “Encrypt the data on your laptop,” he stresses. “Apple and Microsoft have provided ways to enable encryption from within the operating system. Make sure you follow their instructions on saving the configuration or key to a USB device and keep that somewhere safe, but separate from your laptop.”
  • Vary your passwords with different internet sites. Using the same password everywhere means that if it’s compromised on one site, all your sites and personal information are jeopardized. At the very least, Jacobsen says, “you should use a unique password for the University to protect your student data; a unique password for anything financial, like your bank; and a different password for your social media sites.”
  • “Remember that every piece of information you put in social media sites may be seen by anyone. Make sure the information you share in these forums is something you’re prepared to share with the world and for all time,” he says. People who have failed to heed this advice have, on occasion, lost their jobs.

Most of any individual’s information on the internet, whether it’s social media or banking, is protected by one thing: a password. People who would like access to your data are well aware of this and will attempt to trick you into giving them your password. The most common form of this attack is “phishing”: the person who wants your password will email you and ask you for it. This works a lot more often than most people realize, and some of the ways they ask for your password are clever. The easiest to spot is the email that simply asks you to email the password back. More creative attacks will try to convince you to go to a website and log in, except that site you are logging in to is not the one you are expecting. It’s advisable to be skeptical of links within email sent from sources you don’t know that take you to a page requiring you to log in.

Safeguard Your “Digital Hygiene” by Rich Barlow.  Available from <https://www.bu.edu/today/2016/personal-information-security/>. [10.03.2016] Photo Courtesy of iStock

How to Protect Yourself After the Yahoo Attack

How to Protect Yourself After the Yahoo Attack by The New York Times.  Available from <http://www.nytimes.com/interactive/2016/technology/personaltech/what-to-do-if-hacked.html?_r=1> [UPDATED September 23, 2016]

Yahoo said on Thursday that hackers in 2014 stole the account information of at least 500 million users, including names, email addresses, telephone numbers, birth dates, passwords and, in some cases, security questions.

Even if you might not have used a Yahoo account for years, security experts say the incident could have far-reaching consequences for users beyond Yahoo’s services.

Here are some answers to frequently asked questions about how you can protect yourself.

How do I know if my personal information was stolen?

Assume it was.

Yahoo said it had begun notifying potentially affected users, but its breach was huge, and similar attacks and smallerthefts happen all the time.

Should I change my password?

The first step, as always, is to change passwords for sites that contain sensitive information like financial, health or credit card data. Do not use the same password across multiple sites.

Changing Yahoo passwords will be just the start for many of you. Comb through other services — especially those for which you provided a Yahoo email address to create an account — to make sure passwords used on those sites aren’t too similar to what you were using on Yahoo.

And if they weren’t doing so already, they’ll have to treat everything they receive online with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

How do I create stronger passwords?

Try a password manager like 1Password or LastPass.
These sites create a unique password for each website you visit and store them in a database protected by a master password that you create. Password managers reduce the risk of reused passwords or those that are easy to decode.

If you must create your own passwords, try creating long, complex passwords consisting of nonsensical phrases or one-sentence summaries of strange life events and add numbers and special characters.

Examples:

  • My favorite number is Green4782#
  • The cat ate the CoTTon candy 224%
  • Or, if you’re extra paranoid, consider mimicking this setup:

Jeremiah Grossman, a web security expert, memorizes only a few passwords, including one to unlock his computer, and another to unlock an encrypted USB drive containing a file with a list of all his passwords for dozens of services. None of his passwords are memorable because they are random.

“I select them quite literally by banging on the keyboard a few times like a monkey,” Mr. Grossman said, adding that his setup is “a bit more paranoid” than that of the average person.

Create the strongest passwords for the sites that contain the most sensitive information and do not reuse them anywhere.
Are passwords enough?
Passwords are not enough. If a site offers additional security features, like secondary or two-factor authentication, enable them. Then, when you enter your password, you will receive a message (usually a text) with a one-time code that you must enter before you can log in.

Many bank sites and major sites like Google and Apple offer two-factor authentication. In some cases, the second authentication is required only if you are logging in from a new computer.

How can I stop my information from being stolen in the first place?

Increasingly, you cannot. Regularly monitoring your financial records can help minimize the damage if someone gets your information. But only the companies storing your personal data are responsible for securing it. Consumers can slow down hackers and identity thieves, but corporate computer security and law enforcement are the biggest deterrents.

What if you have changed your password after the breach happened but before it was disclosed?

The Yahoo attack happened two years ago but was disclosed only this week. Even if you changed your passwords recently for other websites, chances are at least some of them are similar to the password linked to your Yahoo account two years ago.

To play it safe, you should change your passwords, starting with your most sensitive accounts, including your online banking account.

Forget about security questions

Sites will often use security questions like “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.

These questions are problematic because the internet has made public record searches a snap and the answers are usually easy to guess.

In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)

With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

Jonathan Zdziarski, a computer forensics expert, said he often answered these questions with an alternate password. If a site offers only multiple choice answers, or requires only short passwords, he will not use it.

“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.

Photo:  By Yahoo! Inc. [Public domain], via Wikimedia Commons

How to Protect Yourself After the Yahoo Attack by The New York Times.  Available from <http://www.nytimes.com/interactive/2016/technology/personaltech/what-to-do-if-hacked.html?_r=1> [UPDATED September 23, 2016]