Op-Ed: The Orangeworm Attacks — Why You Should be Worried

In yet another cyberattack aimed at the healthcare industry, a hacker group named Orangeworm recently targeted healthcare orgs in the U.S., Asia, and Europe. The attacks were aimed at computers that control X-rays and MRI machines, in addition to other medical devices. Yikes.

The Orangeworm attacks not only highlight vulnerabilities specific to the healthcare industry, but also shed light on overarching cybersecurity deficiencies that can affect other industries. After seeing increasing numbers of these kinds of attacks, it’s apparent how many businesses aren’t prepared for a major cyberattack. There are several key points that businesses need to immediately improve upon to prevent similar cyber breaches from happening.

What Are the Orangeworm Attacks?

The attacks utilize Trojan malware to install custom backend software called “Kwampirs,” which gives the hackers the ability to execute various commands and access additional modules. Once activated, the malware can add randomly generated string to its payload in order to avoid hash-based detection.

Kwampirs then copies itself across networks with the goal of infecting other medical machines and devices. According to Symantec, which released a report on the attacks, the incidents are likely motivated by corporate espionage.

Main industries affected by the attacks include:

  • healthcare (39% of known targets)

  • drugmakers

  • IT solution providers for healthcare companies

  • equipment manufacturers servicing the healthcare industry

Secondary targets included:

  • manufacturing

  • logistics

  • agriculture

Orangeworm may also have had an interest in machines used to help patients complete consent forms. This means patient privacy and confidentiality may also be an issue.

The Orangeworm cyberattacks are likely not state-sponsored, but rather an individual or group of individuals. We don’t see indicators at the moment regarding the group’s origin.

What Types of Cybersecurity Risks Do the Orangeworm Attacks Reveal?

The recent Orangeworm attacks speak volumes about lack of cybersecurity preparedness exhibited by companies in the healthcare industry and other sectors. In short, we feel many companies are not prepared for a cyberattack for the following reasons:

Companies Lack Cybersecurity Guidance

Word started getting out regarding Orangeworm threats as early as 2015. That’s 3 years, which in the cyber realm, represents ages in terms of new technologies and hacking techniques. Three years later, many healthcare organizations are still not prepared to defend against threats such as Kwampirs.

Part of the problem lies in a lack of education and leadership. There is an overall shortage of qualified cybersecurity experts and leaders who can train employees and IT teams on how to keep systems secure and updated. Without proper cybersecurity guidance, healthcare organizations often don’t know what risks they’re facing.

We’re excited to learn about new educational programs and curriculums that encourage students to pursue careers in cybersecurity and other related fields. In fact, one program in New York is making cybersecurity master’s degrees more affordable for the public. 

On the other hand, until the next strong generation of cybersecurity experts emerges, cybersecurity remains a global responsibility, Businesses must keep top of mind in order to protect their assets. In the meantime, businesses need to take proactive steps now to ensure cybersecurity is a top priority.

We also feel there needs to be greater coordination between boards, executives and directors, and cybersecurity leaders. They should be mindful of previous incidents in related industires and understand that some threats may disappear only to later re-emerge in a more advanced form, as was the case with the Orangeworm hacks. 

Cyberattacks Are Not Random

At first blush, cyberattacks may seem like they happen randomly. But according to reports, Orangeworm chose its targets very deliberately and conducted an impressive amount of planning before launching attacks. Specifically, Orangeworm’s list of secondary targets are of particular interest. These are industries which, upon closer inspection, support the healthcare industry in direct ways.

For instance, manufacturing targets composed 15% of Orangeworm’s victims. This includes large manufacturers that directly support the healthcare industry through the production and sale of equipment, including the medical imaging devices targeted by the malware.

This supports the notion that industry suppliers can be a major weak link in the cybersecurity chain. Thus, when assessing cyber risks and threats, companies should take a good look at:

  • how the supply chain is arranged for a particular business

  • which ancillary industries might affect the company

  • which supporting businesses might create additional cyber risks

While these questions might appear basic, they can shed light on the vulnerabilities that exist in a specific industry. The more you understand your place in the supply chain, the better protected you can be. Self-knowledge informs what type of target you are, why hackers might be interested in you as a target, and what types of targets your partners and suppliers might be.

Cyberattacks Exploit Gaps and Outdated Platforms

The Kwampirs malware exploited outdated platforms that many organizations in the healthcare industry still use. Older systems, such as Windows XP, created gaps in the overall security measures for healthcare organizations, thus increasing the risk of a data breach or cyberattack.

Generally speaking, cybersecurity tools may still be fragmented, and often don’t cover threats that can enter through vulnerabilities in antiquated operating systems. Complete, updated coverage is necessary, especially in the healthcare, legal, and financial sectors, which often use outdated software platforms.

The Future Depends on Strong Cybersecurity

Cyberattacks in the healthcare industry are particularly disconcerting not only because of the potential lost revenue, but also because people’s health and lives are at stake. It’s one of the reasons we’re so passionate about keeping industries safe and sharing knownledge transparently. The Orangeworm attacks should serve as a stark reminder for business and companies to make cybersecurity a priority, not an afterthought. 

Attacks will continue to spread across supply chains and may affect various other critical infrastructure industries. Now is the time to bolster security efforts and devote the time and resources necessary for cyber preparedness.

Aeonian Endpoint Is A Comprehensive SaaS Security Tool For Your Business

Introducing a Simple, Integrated, SaaS Security Tool Focused on the Social Good

At a time when ransomware attacks occur every 40 seconds, and annual damages are forecasted to hit $11.5 billion, cybercrime poses a greater threat to businesses than ever before. Addressing this issue, San Diego-based ICE Cybersecurity developed Aeonian — a new type of endpoint security protecting people and devices all on one platform.

“We built the tool we all wanted, but didn’t have,” says Ford Winslow, co-founder and CEO of ICE Cybersecurity. “This is what we wish was installed when our response team arrives at a business that’s having a bad day. Aeonian gives us a fighting chance.”

Officially unveiled at 2-1-1’s Community Information Exchange Summit on April 17th, Aeonian offers an innovative, risk-based approach to endpoint monitoring and reporting that gives users a centralized dashboard comprising all security efforts. Aeonian is designed to be useful and contribute to the larger solution. 

“Aeonian isn’t about selling endpoints,” says Winslow. “It’s about helping people. We know better than anyone that cyber attacks can be painful and expensive. Aeonian makes it less painful and less expensive for everyone involved.” 

Aeonian software was developed with outcome in mind — a distinguishing feature from other security offerings, allowing ICE to provide your business protection and continuity.

“In most businesses, security tools are fragmented and don’t cover everything completely,” says Winslow. “Attacks come in through the gaps, but not with Aeonian as the center of your system. It encompasses everything, so you get complete coverage.”
“Everybody is scared of cyber right now,” says Winslow. “What we’re doing is building that platform of hope so we can make a difference by offering protection from the bad guys attacking you, your family, and your company.”

A complex and perilous cybersecurity landscape calls for comprehensive cybersecurity that manages loss and prepares for data recovery. Start protecting your people, your devices, and your data all in one platform. Aeonian can transform your fragmented landscape of tools into a single cybersecurity strategy that’s aligned, practical, and effective.

 

About ICE Cybersecurity

ICE Cybersecurity is changing the face of technology by bringing safety and risk reduction to the business as a whole. We believe that businesses are better when cybersecurity measures are aligned, practical and effective. Our unique platform and approach yield spectacular results for companies of all sizes.

 

###

2018 Winter Olympic Games Cyber Attack is No Laughing Matter

It didn’t take long for the 2018 Winter Olympics to be hacked.

News of the first hack broke shortly after the Opening Ceremonies were majestically unveiled for U.S. viewers the evening of Feb. 9.

What’s worth contemplating for cyber experts who track such threats was that the Winter Olympic Games cyber attack had its origins well before the Pyeongchang Games began.

Even with the Games’ $20 million cybersecurity apparatus— based on its gargantuan $13 billion total operating budget — seeds of the planned attack went undetected for at least several months — as far back as December 2017 and likely before.

The situation is similar to the Equifax cybersecurity meltdown, which also involved months of preparation prior to the actual cyber attack against a seemingly well-prepared and funded company.

The suspected culprit, in this case, a destructive wiper malware dubbed “Olympic Destroyer,” wreaked havoc in a number of ways, led by the crash of the Winter Olympics website, slowing ticket sales as the Games got underway.

The crisis was averted and went largely un-noticed.

Potential to Destroy Data

Luckily, the impact was relatively minor. Left uncontained, the Olympic Games cyber attack reportedly had the potential to destroy mass quantities of data and cause massive computer failures that conceivably could’ve brought the Games to a halt.

Following the opening ceremonies, Atos, the Paris-based IT provider hosting the Olympics’ cloud infrastructure, announced that the hack had been minimal and sufficiently contained.

But according to Cyberscoop, samples of the “Olympic Destroyer” malware indicated the hackers also gained access to large swaths of personal information for Atos’ thousands of on-site employees.

How could that happen?

Common Tactic Used by Criminal Hackers

Most likely the cyberthieves targeted one of Atos’ supply-chain vendors and penetrated systems, a common tactic used by both nation-state and criminal hackers.

As for the hack’s geographic origins, early indications pointed to France (home of Atos) and Romania, where many of Atos’ security team are headquartered. The usual culprits — Russia, China, and North Korea — are also suspected, though, as with virtually all cyber attacks, finding such sites is often impossible to pin down.

For its part, the Russian foreign ministry issued a statement that denied any involvement, claiming in part:

“We know that Western media are planning pseudo-investigations on the theme of 'Russian fingerprints' in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea. Of course, no evidence will be reported to the world.”

Meanwhile, cyber-researchers are keeping in mind that:

  • The 2018 Winter Games are being staged only 50 miles from the border with North Korea, one of the world’s most belligerent nation-states.

  • Technically, North Korea remains at war with South Korea since their 1950-1953 war ended in a truce rather than a peace treaty.

  • In the Opening Ceremonies, the teams marched together at an Olympics opening ceremony for the first time since 2006.

Which is among the many reasons the International Olympic Committee (IOC) took out insurance protection estimated at around $800 million to cover a range of calamitous events – ranging from cyber attacks to declaration of war, actual war or acts of war.

Is hacking the next Olympic sport?

 

SOURCES:

How Bad was the Equifax Data Breach?

New Information Shows the Breach Worse than First Reported

How worried should you be about last year’s Equifax data breach?

Very.

That’s the warning for the more than 145 million Americans — nearly half the nation’s total consumers — whose personal data was compromised in what ranks among the largest and most significant cyber scourges in history.

In first responding to the highly publicized September 2017 breach, Equifax reported that the hacked information included (only) the following:

  • Names

  • Social Security numbers

  • Dates of birth

  • Addresses

  • Driver’s license numbers

Now, according to The Wall Street Journal and other outlets, Equifax disclosed in a sealed document submitted to the Senate Banking Committee that the following data also was accessed:

  • Credit card numbers

  • Tax ID numbers

  • Email addresses

  • Driver’s license issue dates

  • Driver’s license states

 

A Series of Investigations by Federal and State Officials

What’s extremely disturbing about the latest revelations is this: It took a series of investigations by federal and state officials – led by Congress – to bring the hack’s full impact to the light of day.

Three things to consider:

  • The Equifax hack was far more invasive than previously reported

  • Companies like Equifax keep records of far more personal information than most consumers realize

  • If you’re among Equifax’s 145.5 million scammed consumers, cyber criminals now have far more access to your finances

A nearly $900 million company based in Atlanta and one of the national credit bureaus, Equifax is now scrambling on several fronts. Not only because its initial report glossed over the full extent of those adversely affected, but because of its slow response to users and lawmakers.

First, the company failed to adequately inform its users -- many of whom had no idea the company was keeping such personalized data on them in the first place -- that they were, indeed, very vulnerable.

Then, in the hack’s immediate aftermath, the company’s CEO, Richard Smith, resigned under pressure. A few months later, he was rebuked by Senate committee members for evasive non-responses to their questions.

Plus, in a side development fraught with political intrigue, the Consumer Financial Protection Bureau (CFPB), the federal agency created by the Dodd-Frank Act as a banking and credit watchdog, immediately halted its inquiry into the Equifax data breach following the change in leadership.

Maybe they hoped it would go away.

Heading the Office of Management and Budget

Equifax now offers its clients free credit “freezes” through June 30. Freezing your credit helps prevent new accounts from being opened in “your” name. But remember, if you actually do need a home loan, new credit card, or want to open a bank account, that temporary freeze will need to be lifted.

Not quite enough to erase the psychic and fiscal pain of millions of consumers like you and probably everybody you know.

Negligence by Equifax? Certainly.

Negligence on the part of the federal agency that’s supposed to protect millions of U.S. consumers from the dizzyingly inadequate cyber security of companies like Equifax?

Most definitely.


If you would like to get started on a comprehensive cybersecurity plan to protect against hacks like the Equifax breach, ICE can be of value to your organization.

Contact us today and let our cybersecurity experts elevate your company’s security measures and put your risk on ICE.

 

SOURCES:

Chinese Tech Companies Were the First to Know About the Intel Chip Flaw

A member of Google’s Project Zero Security Team discovered a flaw that affects computer processors built by Intel and other chipmakers. The initial discovery came a week before Intel planned to release information about the flaw, but not before Intel informed Chinese tech companies like Lenovo and Alibaba.

Google’s Project Zero team has concerns about the flaw allowing passwords and other sensitive data being gathered from system memory. Both Intel and Google were planning on releasing information about the flaw after fixes were made available. Intel was forced to disclose early when British technology site ‘The Register’ reported it.

Intel’s decision to disclose to Chinese tech companies before the U.S. Government raises concerns from cybersecurity experts. It could have allowed information about the chip flaws, dubbed Spectre and Meltdown, to be obtained by the Chinese government before public release.

Spectre and Meltdown Affect Billions of Devices

These bugs potentially subject individuals and businesses to hackers. There’s been no report yet of the bugs causing a breach, but hackers are scrambling to create and release exploits while companies are in a mad dash to update their software and devices.

Fixing the problems will slow computer performance, especially on devices older than five years. So this problem could be a potentially massive undertaking for companies without the budget for new hardware. These bugs also affect companies that deal with more network traffic and processing power, like cloud providers, retailers and healthcare systems.

Big players (Microsoft, Amazon, Apple and Google) are rolling out fixes quickly, but there have already been snags. Some Microsoft Azure customers reported their machines failed come back online after installing updates.

Some patches aren’t automatic because they can cause programs to crash, so businesses will be on the hook to make sure anti-virus and other security tools are compatible with the update, said Dmitri Alperovitch, co-founder and CTO of Crowdstrike.

How Should Companies Protect Themselves?

The biggest concern with Spectre and Meltdown is that breaches will happen quietly. Problems may not be immediately apparent the way they are with ransomware. If systems are performing, companies might not bother updating their hardware and software.

Updating computer systems is already time-consuming and expensive for businesses, but it is essential. It’s only a matter of time before hackers start exploiting these bugs on vulnerable systems.

If you find the concern is overwhelming your business, consult an expert.

Cybersecurity Landscape for 2018

NotPetya. WannaCry. Spora. Sound all too familiar?

This year’s onslaught of global cybercrimes rightly struck fear into anyone who uses a laptop, a hand-held device or owns a business. With each attack, the anxiety factor grows into a sense of vulnerability, dread, even helplessness.

Looking ahead to 2018, what’s your best defense? How can you protect your family, your company, your employees and business reputation from the potentially dire effects of identity theft and the scourge of ransomware?

Meet industry experts to hear their 2018 cyber forecast at our “Cybersecurity Landscape for 2018,” a 45-minute thought leadership panel discussion set for Thursday, November 16. The event will run from 6:00 pm to 8 pm, at ICE Cybersecurity, located in the NEST building in Bankers Hill.

 Moderated by ICE Founder/CEO Ford Winslow, the event will introduce you to key industry players who will share their assessment of the next level of cybersecurity threat.

Scheduled panelists include:

  • Ted Harrington, Independent Security Evaluators

  • Paul Groom, National Strategic Account Manager, SonicWALL, Inc.

  • Paul Leet, Solutions Architect, SonicWALL, Inc.

  • Roy Bettle, Vice President, Sales & Strategy, ICE Cybersecurity

Light food and drinks will be available at the complimentary event, sponsored by Seceon and SonicWALL.

Who Should Attend: C-level officers interested in assessing cyber threats for 2018.

Can't make it? Contact Roy Bettle, VP Client Solutions at 442-273-0910 to share our post-event write-up.

3 Ways Ransomware Affects Healthcare Cybersecurity

Ransomware encrypts files and effectively locks users out of their computers and data. Those behind this type of cybersecurity attack then ask for money - ransom - in exchange for your data. It is estimated that 7.4 million new malware programs will be released in 2017. That’s about 850 per hour.

Most ransomware is delivered in an email. In healthcare systems, ransomware can make its way in through common programs like electronic health record and billing systems. Most ransom is paid in bitcoin, making it difficult to track criminals once the ransom has been paid.

 

   1. Ransomware Halts Patient Care

 

Hospitals across England and Scotland were forced to cancel routine procedures and divert emergency cases after a May 12, 2017 Ransomware attack that affected 99 countries. X-rays were halted. Chemotherapy treatments were put on pause. Records necessary to perform surgery were inaccessible. Critical test results were inaccessible. Affected healthcare workers stated that they were not aware of the issues with dated hardware, software and cybersecurity measures until the attack had already compromised patient care.

 

    2. Ransomware Compromises Patient Records

Records for over 200,000 patients were leaked in a ransomware attack on Atlanta-based Emory Healthcare on Jan. 3, 2017.  Files included names, addresses, emails, birth dates, medical record numbers and cellphone numbers. Medical record breaches have also caused leaked mental health and medical diagnoses, HIV statuses and sexual assault and domestic violence reports. Weather or not the records were used by criminals, the Emory Healthcare’s patients suffered breach notifications, loss of trust and ultimately more barriers to healthcare.

    3. Cybersecurity Attacks Cause Financial Loss

Remember those leaked patient records? A recent study conducted by the Ponemon Institute for IBM estimated that breaches cost U.S. companies on average over $7 million per breach. That’s an average of $215 per breached record. Additionally, companies like Merck had their supply chains for distribution of medical products disrupted by ransomware in June 2017.

Prevent Ransomware Attacks with Cybersecurity Assessments

It is the current recommendation of the FBI that public and private health entities have their networks checked for vulnerabilities by a professional and then work with internal or 3rd party teams to resolve issues and maintain a secure posture.

6 Cybersecurity Action Steps for Corporate Directors

Equifax Cybersecurity Incident Response Under Investigation

Equifax, one of the major credit reporting agencies in the U.S., reported a data breach Sept. 7 that affected 143 million consumers. The hack is one of the largest ever recorded and may have released personal details of an estimated 44% of the U.S. population.

According to The Apache Foundation, makers of an open-source software used by Equifax to create Java web applications, cybersecurity professionals offered Equifax security updates that would have resolved the vulnerability two months prior to the hack.

The U.S. Federal Trade Commission, the congressional House Oversight Committee, the Consumer Financial Protection Bureau, multiple state-level attorney generals and departments of financial services have all begun an investigation of the breach and Equifax’s cybersecurity incident response.

Board of Directors at Risk Over Cybersecurity

This week Equifax announced that their Chairman, Richard Smith, has stepped down as CEO following the cybersecurity breach. The week before, Equifax’s chief security officer and chief information officer stepped down as well. Despite the distance that exists between the senior executives of large organizations and their IT professionals, executives are largely held accountable for oversights, especially when they have a negative impact on consumers.

Corporate directors need to pay attention to the wide range of cybersecurity risks uncovered by this attack, and should implement measures to address any vulnerabilities their companies face. In times like this, any board will come under extreme scrutiny. They will be asked how they handled several executive issues, including board management, data privacy oversight, and executive compensation policies.

In particular, all boards should be concerned about cybersecurity policies and examine their capacity to defend against today’s rapidly expanding data theft. Henry Stoever, Chief Marketing Officer at National Association of Corporate Directors (NACD), says, “There are two kinds of companies: those that know they’ve been hacked, and those that don’t know they’ve been hacked.” Accordingly, Stoever states that there are six action steps for corporate directors to take to improve cyber security measures:

Are you at risk? Get started with a robust cybersecurity plan.

Six Cybersecurity Action Steps for Boards

  1. Approach cyber security as an enterprise-wide risk management issue, not an IT issue

  2. Understand the legal implications of cyber risk as they relate to their company’s specific circumstances

  3. Ensure boards have adequate access to cybersecurity expertise

  4. Facilitate discussions about cyber risk management on a regular basis and allow adequate time on board meeting agendas for robust discussions with the management team and external cyber experts

  5. Require the management team to establish an enterprise-wide cyber risk management framework with adequate staffing and budget

  6. Strategize discussions with management to include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance — as well as specific plans associated with each approach

Cybersecurity Incident Response and Accountability

In a statement released to the public, Equifax CEO Richard F. Smith stated “This is the most humbling moment in our 118-year history.”

Equifax has the opportunity now to refine their accountability practices. Public opinion and stock value for Equifax have suffered as a result of the incident, the late release of information to the public and the subsequent discovery of issues with the company’s phone system and website. Taking steps to ensure regular assessment of their compliance and performance would go a long way in earning back the public’s trust.

The lesson here for every board member is that cybersecurity is an increasingly important enterprise issue that affects all levels of an organization’s operation. It requires comprehensive strategy and risk assessment. Cybersecurity is complex and must evolve quickly to combat cyber threats of increasing severity. These threats can cause significant financial, competitive and reputational damage.

If you’re not sure how to get started with a robust cybersecurity plan, ICE can help. For many companies, our Managed Security Services can cost-effectively solve these issues quickly and completely. Contact us today and let our experts help you improve your company's security and put your risk on ICE.

How to Avoid Your Own Equifax Cybersecurity Meltdown in 7 Steps

Equifax reported on September 7, 2017 that there is "No evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases". This is a very important statement because the data in those core databases support every personal or commercial loan in the United States. Business in the U.S. grinds to a halt if credit data can't be trusted.

The Equifax hack is a “near-miss by cyber-weapon targeted at our financial system,” according to Ford Winslow, business, cybersecurity and IT expert, of ICE Cybersecurity.

Every interest rate on every personal or corporate loan could be called into question if the data used to underwrite the loan were to be compromised, according to Winslow. The securities market could turn upside-down immediately. Currently the federal reserve issues over $200 Billion in overnight loans every day. Over the period of the breach, that’s about $15 Trillion in loans that could be impacted: $150 Billion in interest payments were paid based on credit ratings.

What Happened

On September 9th, 2017, Equifax, one of the major credit reporting agencies in the U.S., reported a data breach affecting 143 million consumers. The company stated that criminals exploited a web app vulnerability to gain access to confidential files. The hack may have released the personal details of 44% of the U.S. population, and is one of the largest breaches ever recorded. These personal details include names, social security numbers, birthdays, addresses and driver’s license numbers. The hackers obtained 209,000 credit card numbers, and 182,000 documents with personal identifying information on them.

This breach has massive implications. Not only are the consumers in question at an increased risk of identity theft, but the security of countless other websites and organizations could be at risk. The information asked during routine identity verification checks is roughly the same information that was compromised in the hack. Equifax created a website after the breach to help consumers find out if their data has been compromised, www.equifaxsecurity2017.com The website asks for your information and lets consumers know whether or not their data was affected. It also prompts affected consumers to enroll in Equifax’s data protection service. At present, using the site might also prevent consumers from participating in any class action lawsuits against Equifax.

Cybersecurity is Mandated by GLBA

Two class-action lawsuits have already been filed against Equifax. The Financial Services Modernization Act of 1999, or Gramm-Leach-Bliley Act (GLBA) regulates how financial service institutions use and safeguard user information. While it is unclear whether or not Equifax violated the core tenants of GLBA provisions, some individual states have added provisions to the Act themselves. Oregon legislation requires that institutions notify the consumer “in the most expeditious way possible.” Since the breach was discovered on July 29, and Equifax didn’t notify investors of the breach until September 7, after selling a great deal of their own stock, things are not looking good for Equifax.

This is not the first time that Equifax has been compromised. Earlier this year, W-2 tax data was stolen from TALX, an Equifax subsidiary that provides online payroll and tax services to large U.S. corporations. In 2016, criminals stole W-2 tax and salary data from a different Equifax website. Since the sensitivity of the data compromised has become progressively more severe, and the amount of consumers affected has progressively increased, Equifax is now under a great deal of scrutiny for potentially negligent cybersecurity controls.

Cybersecurity Begins at the Top: Boards of Directors Should Be Worried

“Organizations need to understand the legal implications of cyber risk as they relate to their company’s specific circumstances,” said Henry Stoever, Chief Marketing Officer of the National Association of Corporate Directors (NACD). Companies need to ensure their boards have adequate access to cybersecurity expertise and regular discussions about risk-management are occurring with the frequency NACD recommends.

It is particularly important for companies to have multiple layers of cybersecurity controls. Many companies today house significant amount of personal and financial data, all of which may be at significant risk.

What can companies do to prevent cyber security data breaches?

Security breaches are inevitable. However, there’s prevention, detection and response. Ransomware alone is a $75 Billion industry. So have prevention measures as standard operating procedures is a critical first step. 60% of all attacks are carried out by insiders and 25% of those involve inadvertent incidents.

M-Trends latest report find the average incursion is 205 days before detection. So basic cybersecurity practices such as continuous monitoring could have detected the data breach in hours rather than months.

7-Point Cybersecurity Checklist For Any Organization

1) Integrate cybersecurity into web app development:

In almost every organization, security is not part of application development. Integrating security team members into application development has traditionally been seen as slow, expensive and ineffective. How much is too much to spend on securing data?

2) Continuous cybersecurity scanning for vulnerabilities:

We don't know if this vulnerability was something known that could have been patched or a "Zero-Day" vulnerability. If it turns out that the vulnerability was already known, continuous vulnerability scanning would have discovered the gap and allowed for detection, response and repair.

3) Full-Restore Data Backups: 

Backup all critical information, then make sure it can be restored upon demand. Backups should be stored offsite and offline. Backups should be tested for full restoration of data.

4) Staff Training:

According to Harvard Business Review, 60% of all attacks are carried out by insiders. 75% of those are malicious and 25% are inadvertent such as clicking on a phishing  email. Staff must be trained on best cybersecurity practices continually and during the onboarding of new hires.

5) Incident Response:

Ensure a company-wide, top-down-bottom-up incident response plan and handbook for staff is in place, up to date and tested regularly.

6) Continuous penetration testing:

Penetration tests (Pen tests) mock up attacks and discover where systems can be breached. Most financial organizations do penetration testing annually, or more. With modern tools and automation, penetration testing can, and should, be done continuously and randomly.

7) Data mapping and security architecture:

Many organizations don't have a good grasp on where and how sensitive data can be accessed. In this case, attackers were clearly able to exploit a user account that had significant privileges to view data. A good security architecture plan may have helped Equifax limit the damage by restricting how many records were breached.

If you’re not sure how to get started with a robust cybersecurity plan, ICE can help. For many companies, our Managed Security Services can cost-effectively solve these issues quickly and completely. Contact us today and let our experts help you improve your company's security and put your risk on ICE.

ChefConf 2017: Technical Artists at Work

In May, we spent three days in Austin, Texas, at ChefConf 2017 learning about DevOps culture, workflow, infrastructure automation, and continuous application delivery.  The event, hosted by Chef, was the best technology conference we’ve attended this year (for reasons both technological and not – see below! ;).

Keynote speakers included executives from Chef, Microsoft, Google, Verisk Analytics, and more. Workshops touched on managing DevOps teams, along with ways numerous Chef tools can help your organization remain compliant, secure your infrastructure, and take advantage of new automation features.

Here are three key things we learned from this year’s event.

Continuous Integration Solutions

We left feeling that, at this point, Chef's offerings have matured facilitation of a full CD pipeline approach to a very viable state. The latest updates to Chef Automate & Habitat have sharpened significantly for an end-to-end Continuous Development/Continuous Automation solution. Case studies from companies that implemented Chef, an exploration of new toolsets and features, and a look at their roadmap for the future provided a lot of insight into the latest DevOps trends.

A few key things we noticed in the breakout sessions:

  • Comprehensive dashboard views inside Chef tools
  • Compliance dashboard for a thorough overview of risks and compliance issues
  • Heavy focus on power and clarity in solutions
  • Habitat now includes a builder service, adding yet another capability for managing the CD pipeline with Chef tools
  • Habitat automatically incorporates all dependencies
  • Updates and point-in-time backups are applied automatically in AWS OpsWorks, a fully- managed Chef Automate service.

Sessions were also awesomely heavy on live demos, providing a richer learning experience than slides alone could offer. For instance, a demo of adding a compliance check for a new vulnerability took less than one minute to add a new test and re-test the infrastructure environment.  

In a session focused on Habitat, speakers stressed the key difference between a “choreography” and an “orchestration” in a tool. While the two terms share similar meanings, the differences in approach create different results upon execution.

Orchestration involves a top-down approach where a person issues a command and awaits a response. This approach is an older development model. Choreography, on the other hand, is a more collaborative process. Think of it as asking a band to play a song. You don't ask each band member what to play. Instead, you ask the musicians and let them self-organize to create beautiful music. This is Habitat!

DevSecOps Trends

We especially liked the focus on security and DevSecOps. A few highlights:

  • Inspec can be run on schedule, which means continuous compliance
  • Inspec declarative language is human readable and auditor compliant
  • Chef is now an official contributor to the “DevSec Project”  (http://dev-sec.io) to provide template cookbooks for hardening and compliance

Culture And Camaraderie

A final key takeaway from ChefConf is the ability to look inside company culture to reveal how it impacts employees. Chef takes cues from Google, both in being a hip company and treating employees like royalty.

To me, Chef’s team is a collective of technical artists. They’re among the best of the best in the ways they plugs into the open source community. By engaging with the greater community, the team is able to foster an environment of innovation and collaboration. Just as collaboration makes for a better experience with Chef’s tools, the company also creates an environment to foster innovation among the greater DevOps community. Chef’s roadmap, current project status board, and Dev team Slack channel are all public. Anyone is welcome to create recommendations and interact with the team to request the features and knowledge you want to have.

The company is totally transparent to the community and works with the community as peers. If we had to guess, we’d say Chef CTO/Co-Founder Adam Jacob had much to do with this community-first methodology.

This culture was reflected in the conference itself. Just like other leading-edge tech companies, there was no shortage of ping-pong tables, skee ball, giant Jenga, and bean bag chairs. In the Habitat lounge, you could enjoy a cold brew while checking out a demo.

Making each and every person at the conference feel welcome and valued was intertwined in the very fabric of ChefConf. The event’s code of conduct expressed diversity and inclusiveness among its core values, in addition to ensuring that no attendees felt discriminated against or harassed.

Commitment to creating a welcoming environment for all didn’t stop with the code of conduct. Dedication to inclusiveness was reflected everywhere from the specially made “inclusive bathrooms” signs to actions in each session.

Before a session began, everyone in the audience was asked to stand and clap to welcome the speaker to the stage. It may have been a small show of goodwill, but this simple action made a huge difference for everyone in the room. Every speaker mentioned how a warm welcome set the stage for a more engaging talk. And it showed. The speaker’s comfort was clearly reflected in the quality of the session.

Warm and friendly vibes carried through to the very end of the conference. Once the final keynote wrapped up, the more than 1,500 audience members stood up to partake in a giant group hug.  

Organizers also spared no expense for the Chef Community Party. They reserved the entire Stubbs venue. For those of you familiar with Austin, you know this was no small feat or budget. Bands and DJs performed on outdoor and indoor stages, and there was plenty of food and drink for all.

The result of the focus on culture? Chef attracts the best talent and encourages unique people, which leads to true innovation. After spending time with the Chef team, we couldn’t help but think, "Ok, THESE are our people." After this year’s informative, inclusive, and downright fun event, we’re counting down the days to next year’s conference.