What the NSA Hack Says About Cyber Security in America

In a Mr. Robot episode come to life, an anonymous group of hackers calling themselves the Shadow Brokers has compromised the U.S. National Security Agency (NSA). The NSA hack involved the release of elite hacking tools used by the spy agency to conduct cyber espionage. The Washington Post reports:

A cache of hacking tools with code names such as Epicbanana, Buzzdirection and Egregiousblunder appeared mysteriously online over the weekend, setting the security world abuzz with speculation over whether the material was legitimate.

The file appeared to be real, according to former NSA personnel who worked in the agency’s hacking division, known as Tailored Access Operations (TAO).

“Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”

The NSA hack is sending shockwaves through the cyber security industry, not just because one of the most secure systems in the world just got hacked, but also because the hack didn’t just expose government secrets; it exposed significant zero-day vulnerabilities at major U.S. corporations, including companies that, ironically, sell enterprise cyber security services.

While there are rumors that the Shadow Brokers are Russian nation-state hackers, no one knows for certain. No one knows how the Shadow Brokers managed to access the NSA’s data, either. The NSA is refusing to comment on the leak. However, since nearly all data breaches are the result of hackers getting their hands on legitimate login credentials, either through carelessness or malicious intent on the part of an organizational insider, it’s reasonable to theorize that the leak originated within the NSA. It could have been as simple as an employee clicking on a phishing email or sticking an infected flash drive into a machine.

The NSA hack also begs the question, if a covert government spy agency’s data isn’t secure, what’s the state of everyone else’s information security? From a rash of ransomware attacks on the healthcare industry, to an epidemic of tax data spear phishing schemes, to the hijacking of the SWIFT Network bank messaging system, to the Wendy’s POS data breach, to an amateur managing to hack the Houston Astros database, to information security providers being caught with their pants down in the NSA breach, 2016 has been a banner year for cyber criminals – and we’ve got four more months to go.

Rather than panicking, now is the time to ask yourself, how secure are your organization’s systems? Are you approaching your cyber security proactively, or are you taking a reactive approach, scrambling to clean up the mess once a breach has occurred? Have you been trying to handle your cyber security in-house but are struggling to keep up with all of the new technological advances and cyber security threats? Do you suspect there are hackers in your system right now, either from the outside or within your organization, but you don’t know to find and deal with them, and then keep new ones from coming in?

You’re not alone. Today’s information systems are increasingly complex, and so are the attacks that hackers launch on them. Many organizations simply do not have the resources to handle all of their information security needs in-house, and they find that scrambling to do so leaves them with lax information security while taking away time and resources from their core competency.

The NSA hack should be a wakeup call to organizations in all industries and of all sizes to reevaluate their cyber security efforts and, if they have not already done so, enlist the services of a professional cyber security firm to ensure that they are fully protected.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help secure your organization’s data.

Healthcare is one of the most regulated industries in the U.S. HIPAA, or the Health Insurance Portability and Accountability Act of 1996, requires healthcare organizations and their third-party service providers, such as labs and billing companies, to have data security measures in place protect patients’ private health information (PHI). HIPAA compliance is complex, and the penalties for non-compliance are stiff; if a facility’s PHI is breached, and it is found they were not compliant with HIPAA, the facility could face millions of dollars worth of fines. In some cases, company executives can even be held criminally liable.

C-level executives in the healthcare industry may not understand the intricacies of ransomware attacks or phishing schemes, but they do understand the seriousness of HIPAA compliance. They also fall into the trap of thinking that if their organization is compliant with HIPAA, that means their systems are safe. As a result, they devote most or all of their cyber security resources to complying with HIPAA.

HIPAA compliance is crucial – but a cyber security plan cannot start and end with HIPAA compliance.

HIPAA Compliance Is Only a Starting Point to Protect Patient Data

Today’s healthcare IT environment is highly complex. In addition to electronic health records (EHRs), mobile technology, cloud applications, electronic health exchanges, and Internet of Things (IoT) devices are growing in popularity. These technologies are making it easier for healthcare providers to deliver quality care and are improving patients’ lives, but each new gadget and application means new vulnerabilities for hackers to exploit.

In a recent survey of information security experts conducted by the Brookings Institution, most respondents indicated that they felt HIPAA does not sufficiently address modern healthcare data security issues, mainly because the law is light on specifics. HIPAA compliance is primarily about demonstrating that an organization has met certain documentation and procedural requirements. It does not outline precise technical safeguards.

The proof that HIPAA compliance is insufficient to protect against ransomware and data breaches is in the statistics. Healthcare is the most likely industry to experience a data breach. Nearly 90% of healthcare organizations – and 60% of third-party healthcare vendors – have experienced at least one breach. Nearly 80% have had two or more, and nearly 50% have had three or more.

Why Isn’t HIPAA Compliance Enough?

There are several reasons why HIPAA compliance does not provide full data protection on its own. First, it isn’t meant to. Technology simply changes too quickly for any legislation to keep up. By the time a new set of rules were written, they’d already be out of date! This is why HIPAA focuses on what organizations need to achieve, not on precisely how they should go about achieving it. Second, every organization’s IT environment is different. A data security plan that works well at one facility may fall flat at another. Finally, compliance rules cannot adequately address the threats posed by mistakes, negligence, or malicious acts on the part of a facility’s employees, which cause nearly half of all data breaches.

HIPAA compliance should be the starting point – not the entirety – of a comprehensive, proactive healthcare data security plan.

Many healthcare organizations do not have the resources to handle all of their information security needs in-house; many others don’t know where to start. This is why they should partner with a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization.

Doping allegations, illegal gambling, and other attempts to game the system and give a player or a team an edge have long plagued the professional sports world. Now, the cheating has gone cyber. Chris Correa, a former executive with the Saint Louis Cardinals MLB team, has been sentenced to nearly four years in prison for hacking into the Houston Astros’ database and stealing confidential information that could have given the Cardinals an unfair advantage. It is unclear how many other Cardinals employees – if any – were aware of the Houston Astros hack, and the MLB is looking into taking action against the team as a whole.

However, whether or not the MLB decides to sanction the Cardinals, the Astros need to clean up their cyber security act, and other organizations should take heed of the mistakes the team made.

How Did the Houston Astros Hack Happen?

Although it involved the glamorous world of professional sports, the Houston Astros hack was just like most other data breaches. It happened not because a hacker found a “backdoor” into the system but through the use of stolen login credentials. Many times, these credentials are stolen via a phishing scheme, but Correa didn’t have to bother with putting one together; in fact, he may not have possessed the technical prowess to launch a phishing scheme.

According to court documents, a former Cardinals employee, identified only as “Victim A,” left the Cardinals to join the Astros organization in late 2011. Victim A was instructed to hand over his work laptop – and its password – to Correa. Correa, apparently figuring that the employee would use the same password or something very close to it in his new position, attempted to use the information to access the Astros’ database. He eventually figured it out and proceeded to steal confidential information regarding the player draft, trade negotiations, and other sensitive data. Even worse, after the Astros updated their database, Correa was able to obtain the new login information by accessing Victim A’s email account, where he found a message containing default login information to the new database system.

While Correa’s behavior was reprehensible, the Houston Astros hack didn’t have to happen. The organization could have prevented the breach by taking a few basic proactive security measures:

• Victim A’s practice of using a password that was very similar to the one he’d used at his previous job is a common error; despite security experts advising them otherwise, most people use the same password for multiple sites. Employees should not be allowed to choose their own passwords; instead, they should be assigned strong passwords and be required to change them on a regular basis.
• Systems that contain highly sensitive data should require multi-factor authentication upon login, not just a user name and password.
• Default login information should never be disseminated to employees through email. This information should be given to each employee in hard copy, and the system should automatically require the employee to change their default credentials the first time they log in.
• All systems should be continuously monitored for anomalous activity, such as an employee logging in from an unusual location or at odd hours.

The Houston Astros hack should be a wakeup call to organizations in all industries. It was not masterminded by a skilled hacker but a regular individual who took advantage of basic security flaws. Instead of being proactive, the Astros were reactive with their information security, and Correa’s plea deal estimates that their carelessness with employee passwords cost them $1.7 million.

Many organizations do not have the resources to handle all of their information security needs in-house; many others don’t know where to start. This is why they should partner with a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization.