New Anthem breach underscores the need to manage cyber risk throughout the enterprise ecosystem

Anthem – yes, that Anthem – has been hacked again. About a month after the beleaguered health insurer agreed to fork over a record-setting $115 million to settle a class action lawsuit related to its massive 2015 breach, it was breached again, or rather, one of its third-party vendors was. The 2017 Anthem breach involves approximately 18,000 Medicare members whose personal information was stolen by a malicious insider employed by LaunchPoint Ventures, a Medicare insurance coordination services firm. Healthcare IT News reports:

LaunchPoint discovered on April 12 that an employee was likely stealing and misusing Anthem and non-Anthem data. The employee emailed a file containing information about Anthem’s members to his personal address on July 8, 2016.

The file contained Medicare ID numbers, including Social Security numbers, Health Plan ID numbers, names and dates of enrollment. Officials said limited last names and dates of birth were included.

Takeaways from the Latest Anthem Breach

The Anthem breach is the latest to underscore the need for organizations to manage cyber risk throughout their entire enterprise ecosystem. Anthem’s own systems weren’t hacked; their third-party vendor was. Other recent victims of third-party breaches include Netflix, the Republican National Committee, Trump Hotels, Verizon, and Google (which was impacted by a breach at third-party vendor of one of their third-party vendors).

As organizations outsource more and more IT services, from payroll to billing to web development, hackers are increasingly targeting these service providers. It is estimated that 63% of all enterprise breaches can be traced back to a third-party vendor. Hackers may choose to attack these service providers because many of them are smaller firms whose cyber security may not be as robust as that of the national or multinational corporation whose data they really want.

Know Your Vendors

The danger of third-party data breaches is one of the reasons why the U.S. Department of Defense is requiring not only its primary contractors, but any firm they subcontract DoD work to, to be compliant with the DFARS security standard by the end of 2017.

Private-sector organizations should take a cue from the DoD and only do business with IT service providers who have released AICPA SOC / SSAE16 reports and/or who have important IT security certifications such as NIST, ISO, or FedRAMP. These organizations have proven their commitment to the highest levels of data security by undergoing rigorous security audits that require them to adhere to certain procedures and controls and put them in writing.

Likewise, IT service providers should obtain the appropriate data security certifications and demonstrate to their customers that they have strong security controls in place. Continuum GRC’s IT Audit Machine (ITAM) empowers organizations to get and maintain compliance the easy way, with self-help modules covering numerous compliance standards, including FedRAMP, SSAE 16, COBIT, ISO 27001, ISO 27002, ISO 27005, SOX, FFIEC, PCI, GLBA, HIPAA, CMS, NERC CIP, DFARS, and other federal and state mandates.

Don’t Expect to Pass the Buck

Just because a breach is your vendor’s fault doesn’t mean your organization will be shielded from liability. The $300 million Target breach, which resulted in both the CEO and the CISO losing their jobs, involved a third-party point-of-sale vendor.

The scope of potential liability just broadened; shortly after news of the Anthem breach broke, a U.S. Court of Appeals issued a ruling against health insurer CareFirst, allowing a class-action lawsuit filed by customers impacted by a 2014 breach to move forward. The ruling is expected to have wide implications, allowing customers not only of health insurers but any company to sue if their personal information is stolen.

Ensuring good governance, risk management, compliance, and cyber security throughout your enterprise ecosystem takes far less time and costs far less money than doing damage control after a breach happens.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Cryptocurrency Investors on Edge after Two Ethereum ICO Breaches in a Week

Initial Coin Offerings (ICOs) powered by the Ethereum blockchain platform are the hottest thing going right now, but are they secure? On July 24, 2017, the second Ethereum ICO hack in a week hit the news, as digital wallet firm Veritaseum disclosed to Bleeping Computer that a hacker stole approximately $8.4 million from its Ethereum ICO.

Ethereum has had a rough month. A week before the Veritaseum hack, cryptocurrency trading startup CoinDash had $7 million stolen from its Ethereum ICO within minutes of the offering being launched. A few days later, smart contract coding company Parity issued a security alert regarding a vulnerability in its wallet software that had led to approximately $30 million worth of Ether cryptocurrency being stolen. In early July, an unidentified hacker or group breached and took control of the web domain belonging to Classic Ether Wallet, redirecting the domain to their own server and transactions to their own account.

What is an Ethereum ICO?

An ICO is similar to an IPO (Initial Public Offering). Investors use regular, or fiat, currency to invest in the ICO, but instead of receiving units of stock in return, they get units of cryptocurrency, called “tokens.” The investors can either hold the tokens until the issuing company decides to buy them back or sell them to other users in exchange for units of cryptocurrency. Any unit of cryptocurrency can be used; in ICOs powered by the Ethereum blockchain, the cryptocurrency used is called Ether. If all goes well, the cryptocurrency will increase in value, and the investors will profit off their tokens.

Unlike IPOs, initial coin offerings are completely unregulated. This has made them very attractive to disruptive tech startups that wish to bypass the highly regulated IPO process required by banks and venture capitalists. Ethereum ICOs have become extremely popular due to the power of the Ethereum blockchain platform they run on. Unlike competitor Bitcoin, Ethereum is far more than just a cryptocurrency platform; it was designed to be a virtual machine that uses what are called “smart contracts,” or decentralized, self-executing agreements coded into the blockchain itself. Smart contracts are a disruptive technology with enormous potential to replace all manner of traditional financial, social, and legal agreements, from options contracts to bonds, which is one reason why Ethereum is quickly becoming the ICO platform of choice.

Are Ethereum and ICOs Safe?

Because they are unregulated, ICOs are risky. There is no requirement for companies to provide the voluminous investor disclosures that they would have to for an IPO. There are fears that ICOs could be used for money laundering purposes or that the issuers themselves could “hack” their own ICOs and steal tokens. These problems have not escaped the attention of the SEC, which is reportedly eyeing the ICO market warily in preparation for future regulations. Update: After this article went to press, the SEC, NFA finally weighed in on ICOs, declaring them “securities” and paving the way for regulation.

As to the inherent cybersecurity of Ethereum, Ether wallets, and ICOs launched on the Ethereum platform, it is important to note that, as in the SWIFT Network attacks that rocked the international banking world last summer, the Ethereum blockchain itself was not breached during any of these attacks. Instead, in each case, hackers took advantage of website vulnerabilities or coding errors in third-party tools built to make use of the Ethereum blockchain, such as Ether wallets. The blockchain, in and of itself, is very, very secure – it would take massive amounts of computing power to even attempt to hack it – but the applications used to access it, including those used to buy, sell, and store tokens and cryptocurrency, may not be. The Parity breach, for example, was traced back to a single missing word in a line of code for its Ether wallet. The CoinDash and Classic Ether Wallet breaches were the fault of security holes in the issuers’ company websites.

Although cryptocurrency investors are concerned about the recent spate of Ethereum ICO attacks, only time will tell whether they’re rattled enough for permanent damage to be done to the ICO craze. Certainly, anyone who is considering investing in an ICO, regardless of which platform it is being run on, should tread carefully. The lesson all enterprises can take from these hacks is the importance of website security, secure software development, and proactive cyber security and GRC practices in a digital world where most money, including fiat currency, is moved and stored electronically.

After all, just one missing word in a software program resulted in a $30 million loss.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Cryptocurrency mining malware may end up being a bigger problem than WannaCry

Organizations that think they dodged a bullet when their older systems did not fall prey to the WannaCry ransomware may want to think again. Weeks prior to the WannaCry attacks, a group of hackers was taking advantage of the same Windows vulnerabilities that WannaCry exploited. Instead of locking down systems with ransomware, these cyber criminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Not only did users have no idea their machines had been turned into cryptocurrency mining zombies, but Adylkuzz acted as a sort of vaccine for machines against the WannaCry malware so that mining operations would continue unimpeded. So, in a bizarre twist, had it not been for Adylkuzz, the WannaCry attacks may have been even larger and more destructive.

That’s not to say Adylkuzz is benign. Just as WannaCry was a warning shot for the destructive potential of ransomware, Adylkuzz sounded the alarm about the next threat on the horizon: cryptocurrency mining malware.

Cryptocurrency 101

Cryptocurrencies are digital or virtual currencies that use cryptography to prevent counterfeiting. They are distinguished from “fiat currency” – the dollars, euros, and other money issued by governments – because they are not issued by a central authority or representative of debts. They are sometimes referred to as “hard” or “sound” money and are more similar to gold bars than dollar bills. The most well-known and widely used cryptocurrency is Bitcoin, which was invented in 2009 as a byproduct of the blockchain technology that enables it.

Although there is nothing inherently nefarious about cryptocurrencies, they have come under fire for their popularity among cyber criminals. While many perfectly legitimate businesses accept payment in Bitcoin, it also is the de facto currency of the Dark Net, and most ransomware variants demand payments be rendered in it.

New units of digital currencies are created through a process known as cryptocurrency mining. “Miners” solve highly complex cryptography problems that allow them to add blocks to the blockchain, and they are rewarded for their efforts with free cryptocurrency units. To prevent devaluation, all digital currencies have a cap on how many units can ultimately be mined; Bitcoin’s cap is 21 million units and, as of this writing, about 5 million are left to be mined.

Cryptocurrencies have another failsafe to prevent devaluation and other forms of abuse: The problems miners must solve suck up enormous amounts of processing power, which means that miners who want to use their own equipment are looking at a capital investment in highly specialized hardware. For those who don’t want to spend the money, cryptocurrency mining malware such as Adylkuzz has emerged. Although Adylkuzz takes advantage of the same Windows vulnerabilities as WannaCry, it behaves more like the Mirai botnet. It does not lock down systems or access data; instead, it goes after a machine’s processing power, hijacking it and using it to mine units of a Bitcoin competitor called Monero, a “next-generation” cryptocurrency that is growing in popularity among cyber criminals because it promises even stronger anonymity than Bitcoin.

Adylkuzz has proven to be far more lucrative than WannaCry; it’s estimated that rogue Monero miners have raked in 10 times more money than the WannaCry hackers. It’s also not the only cryptocurrency mining malware in town. There’s a Samba bug that attacks Linux machines, and, in a surprising twist, another form of malware that goes after Raspberry Pi devices, tiny computers that are popular among tech enthusiasts. While it may seem counterintuitive to target such a small machine, the idea is not to hijack one device but tens of thousands, as the Mirai botnet did, and harness the combined power of a “zombie army.”

Protecting Your Systems from Cryptocurrency Mining Malware

One of the reasons why Adylkuzz and similar malware are so successful is that many victims have no idea they’ve been hijacked. The symptoms of an infection are vague, consisting of general system sluggishness and a loss of access to shared network resources.

Critics of cryptocurrencies have long been calling for governments to regulate or even ban them, and WannaCry and Adylkuzz have added fuel to their arguments. However, because of the very nature of cryptocurrencies, any attempts to legislate them face a protracted, uphill battle. The best defense against cryptocurrency mining malware is to employ the same proactive cyber security measures used to defend against ransomware, data breaches, and other cyber attacks: ensure that all systems and software are up-to-date; install new manufacturer patches as soon as possible; always change manufacturer default passwords; perform regular penetration testing; continuously monitor networks for anomalies; and address the human factor by training employees on cyber security best practices.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.