by Felicien | Sep 7, 2018 | Education
An Inspector General’s (OIG) report from the Federal Department of Health and Human Services (HHS) finds that Maryland failed to secure its Medicaid Management Information System (MMIS) against several avenues of attack.
What Security Violations Did Maryland Commit?
The report, available in summary form at OIG Report on Maryland MMIS Security, does not go into detail for fear of revealing the nature of the vulnerabilities and possibly exposing the MMIS to penetration. It does note that, in addition to other techniques, automated penetration testing tools were used in an attempt to break into the system. The report indicates that these tools succeeded.
How Attacks Are Evolving
Other reports have noted that automated penetration tools are getting more sophisticated over time, and now far exceed the sort of attacks that were driven by “script kiddies” in the last decade. On top of that, despite increased efforts at email security and training workers in cybersecurity hygiene, phishing attacks, in which a phony email is used to get a user to perform an action that leads to system penetration, are all too common.
Because of the lack of detail in the OIG report, we can only speculate about what was attacked and what methods of penetration were used. Consider this, though. The typical MMIS is a mainframe-based system that is communicated with from terminals. It usually runs some version of Windows over networks that often must, of necessity, be routed partially over the public internet. Even if a virtual private network (VPN) is used for the connection, the “attack surface” – the set of points and vulnerabilities that led a bad actor to attack a system – is expansive.
All the attacker has to do is gain access to an unencrypted portion of the traffic. Inserting malware, such as ransomware or keyloggers, is simple from that point on. The lesson is that one must avoid penetration at all costs.
Was There A Cyber Security Attack on the Maryland MMIS?
The OIG report specifically notes that there is no evidence that the Maryland system had, in fact, been penetrated. But consider what might have happened if it had. The MMIS is used to pay Medicaid providers. While providers often complain that Medicaid payments are less than their cost of service, the aggregate amount of money involved is huge. Nationally, Medicaid spent almost 596 billion dollars in 2017. The expense is very roughly split 50/50 between the states and the Federal government for the traditional Medicaid population. For the people that were brought in under the Affordable Care Act (ACA) Medicaid expansion, the Federal government pays 90%.
A Huge Payday for Hackers
So, there is a pool of more than half a trillion dollars, potentially payable to providers, for hackers to attack. The MMIS in most states has modules for beneficiary enrollment, provider enrollment, recording of services rendered, and provider payments. A hacker who had control of the system could create phantom beneficiaries, phantom providers, bill for nonexistent services, and generate checks to pay the nonsexist providers for not providing them. Once the hacker is in the system, a potentially huge piggy bank is opened. The OIG’s principal worry in its report was the possible exposure of Medicaid data to the public, but the possibilities for fraud are equally worrying.
Why Does It Take So Long For Hacking To Be Discovered?
How quickly such a penetration would be detected is a function of the security measures the state has in place. The mere fact of finding a penetration does not, in and of itself, reveal where the miscreant was or what the hacker did. That requires checking of audit logs and development of a trail. Depending on what events are logged, even that might not be enough. In a worst-case scenario, not until some other event – a beneficiary notice returned as undeliverable, a bank questioning an electronic deposit, and so on – would sufficient suspicion be generated to lead to the discovery of phony providers and phony beneficiaries.
Holes In The Medicaid System
The MMIS includes tools for surveillance and utilization review, but their basic functions are still fairly unsophisticated, relying on detection of statistical outliers. Depending on where the limits are set, cases that are truly concerning may be missed. We can draw some instructive lessons from looking at what has been found out about HIV drug prescriptions under Medicare. In one case, a 48-year-old in Miami went to 28 different pharmacies to pick up HIV drugs worth over $200,000 dollars, in doses that were more than ten times what the typical HIV patient gets in a year (see Suspicious Prescriptions for HIV Drugs in Medicare).
Wrap Up
Maryland’s MMIS has parts that first came online in 1996. A contract to replace the system was terminated in 2015 and the case between the state and the prime contractor is now in the courts. Maryland’s experience in attempting to replace its MMIS system is not unique. Despite its surface simplicity, MMIS systems can involve hundreds of modules providing thousands of different functions that often have to interface with other state systems such as finance, enrollment and eligibility, public health, social services, and the state’s education system.
Designing and programming one is not easy. When it has to interface with multiple-aged legacy systems that the MMIS contractor has no control over, the job is even harder.
by Felicien | Sep 7, 2018 | Education
This month’s training on demand focuses on helping you find the most accurate information you need on Google.
We’ll leave no stone unturned in this 28-minute online training session. Learn how to find answers to your queries and questions right through to advanced techniques using Google.
Click the video play button below to get started.
Click Here To View Online
by Felicien | Sep 7, 2018 | Education
What’s WPA3?
WPA3 is an improvement to WPA2 security, which is still commonly used after having made substantial improvements over WPA. It is expected to better protect users from software hacking. In partial development for approximately 10 years, this improved form of security allows users to experience the benefits of additional features. These features include a wider range of settings, a more complex authentication system, and improved encryptions.
The recent integrations in security have included two versions, a WPA3-Personal version and a WPA3-Enterprise version. Both forms have been updated to include ongoing security improvements for the version. This involved removing legacy protocol and mandatory use of Protected Management Frames (PMFs) that have controlled resistances in networks used for operations. The personal version uses a new processing method referred to as Simultaneous Authentication of Equals (SAE), which secures connections between two devices while challenging external efforts to discover passwords.
The enterprise version provides 192-bit encryptions, higher than the enterprise version, and applies more cryptography tools than previous versions. As the software has only recently been developed, it has been integrated to some extent, but ongoing integration is expected to parallel increasing requirements for its use. This will challenge the current efforts of hackers. According to WiFi Alliance, the security improvement will be the standard for devices labeled as Wi-Fi Certified.
How Can It Better Protect Me From Hacking?
An improvement over WPA2 with increased encryption and tool application, many efforts of current hackers are expected to be again stunted without serious adaptations and improvements on their end of security demands. According to the New York Post, recent improvements in the way hackers operate have allowed them to violate users without waiting for a network connection. This improves their capacity to breach additional security and access information. However, WPA3 is expected to better protect users from both external and internal attacking.
Wired reports 9 billion Wi-Fi devices used worldwide, leading to one of the greatest security demands in computer software. This created the demand to improve WPA2 in terms of both connection security and addressing security challenges in user functions.
WPA3 development has been supervised by the Wi-Fi Alliance, and the organization does not expect WPA3 to be commonly used until the end of next year. WPA3 is also expected to lead to an increase in free connection use, improving the safety of organizations willing to extend access without any charge or subscription to a membership. The upgrade will provide substantially improved security specifically over dictionary attacks by using improved protocols for key exchange. While WPA2 uses a four-way connection between access points and clients, WPA3 will use SAE to avoid WPA2’s vulnerability to key reinstallation attacks (also referred to as KRACKs). This reduction in dictionary attacks is further supported by a system that safeguards traffic that occurred before a hack, restricting hacker access to information after an account has been breached.
Additional Benefits of WPA3 Technology
Other benefits of WPA3 can improve some areas of network and business securities. WPA2 currently allows people on a public network to observe user traffic while leaving users vulnerable to ‘middle man’ attacks and data tracking. WPA3 uses encryption connections without demanding additional credential information, and its encryption (referred to as Opportunistic Wireless Encryption) can protect users and organizations. Nonetheless, it is considered to be an investment that has significant cost to organizational operations. Business managers may not be inclined to spend more for better technology.
The timeline for mainstream integration is expected to span over the next several years. As the first release was just in June of this year, it follows a 2006 release of WPA2 that also continued to be released over several years’ time.
According to SecurityIntelligence, organizations should expect approximately 18 months before devices begin to be commonly certified, followed by additional time in organizations investing in the technology. In addition to certified devices being the foundation of use, people with mismatched hardware may find that their routers are not compatible with WPA3 Wi-Fi connections. Some routers are expected to have preservation potential while being usable with these improved security devices and connections. Some will not be usable with the upgrades.
WPA3 is not expected to address all security demands in the current Internet of Things or IoT landscape. Threats that have their roots in compromised devices will not be protected in the use of connections made by users. This remaining vulnerability alongside WPA2’s generally safe nature have made many consumers hesitant to invest in the upgrade immediately now that it is available.
What Should I Know?
WPA3 provides improved authentication processes.
WPA3 provides increased encryption.
WPA3 does protect all users connected in the IoT.
The upgrade will cost more but should be worth it in the long run.
by Felicien | Sep 7, 2018 | Education
Hand-in-hand with an increased reliance on the internet and networked systems comes to an increased risk for cyber-attacks. Whether conducted unintentionally or deliberately, cybersecurity incidents can wreak havoc on a company’s bottom line, bringing a wide range of consequences with the capability to do long-term harm to companies big and small.
For this reason, the U.S. Securities & Exchange Commission has required public companies to follow a particular set of guidelines and procedures to combat the countless number of cybercriminals scouring the internet in search of opportunities.
Cybersecurity threats and risks are ever changing, and according to the SEC, public companies need to do all they can to prevent attacks. While there exists a world of difference between public and private companies in regard to rules and regulations and how they operate, the two may often encounter the same challenges in regard to cybersecurity. This is why, while unregulated by the SEC, private companies can’t afford to ignore what’s recommended to prevent and combat cyber incidents.
In order to educate and provide support to public companies about the risks associated with cyber attacks, the SEC has introduced a cybersecurity information website containing a variety of tools to be used by companies large and small. These include alerts, compliance toolkits, educational resources and other information pertinent to cyber security and its potential effects on today’s businesses.
What Can Companies Do To Address Cyber Risks?
The SEC has some important tips for businesses to follow if they’re hoping to steer clear of cyber attacks. And in the cases where it’s too late, there is a set of procedures businesses should implement to help minimize damage once an attack hits.
The website covers a wide variety of cyber-related misconduct, including market manipulation through false information, intrusions, hacking and attacks on market infrastructure and trading platforms. According to the SEC, here are a few things private companies must do in order to effectively manage their cybersecurity risk.
Prioritize Policies
An effective set of policies and procedures for dealing with cybersecurity is vital in today’s business world, especially during a time where cybercriminals are acquiring new skills and targets by the day. Companies must be able to identify cybersecurity risks, analyze their impact, and offer open communications with tech experts who can help implement preventative measures and damage control.
There should also be a protocol to help determine the potential risks and materiality of cybersecurity incidents. It’s important for companies to assess compliance with these policies on a regular basis, as well as ensure a proper set of procedures that conveys important information to the necessary personnel.
Necessary Disclosure
Conveying cybersecurity risks and breaches to the appropriate parties is of the utmost importance for public companies, though private companies would do well to follow a similar structure of command. A company’s top directors, officers and other parties responsible for implementing these cyber controls and procedures should be informed of the potential risks in order to develop an effective plan for prevention. And while management’s role in overseeing cybersecurity is indisputable, there are other parties that must be involved.
Combatting Insider Trading
Once a system has been infiltrated by a cyber attack, timing is crucial. The SEC states that companies must have a set of procedures in place to prevent insiders, such as company directors and officers, from taking advantage of the sensitive time between discovery of an attack or cybersecurity incident and the time it is disclosed to investors. It may even be appropriate to halt transfers in the event of an ongoing investigation of a particular cybersecurity incident.
What Are The Risks?
The risks of a cyber attack are varied and depend largely upon an individual company’s IT structure. When evaluating cybersecurity risk factors, there are a number of things companies both public and private must consider. For instance, the occurrence of previous cybersecurity events in the past is helpful in determining risk, as is the probability of the occurrence and its potential magnitude.
It is also helpful to analyze the adequacy of a company’s preventative measures to reduce the risk of cyber attacks, as well as discuss the associated costs and limits of a company’s ability to mitigate these types of risks. Other risk factors include the potential for reputational harm and additional costs incurred from litigation and remediation in the event of a breach.
Conclusion
Private companies are in a unique position to learn from public companies as they navigate an ever-changing digital landscape. The SEC’s guidelines serve as a valuable point of reference to kick-start an effective game plan for cybersecurity. Although it can be difficult to determine when or where the next cyber attack will occur, familiarizing yourself with the risk factors and potential damage can prove a solid line of defense against a major cyber incident in the future.
by Felicien | Sep 6, 2018 | Education
IDC Report Focuses on How Real the Threat Actually is for Canadian Businesses
How much is your company spending on IT security? According to most analyst numbers, an average of 14% of the IT budget should be shelled out each year to safeguard a business. The reality is that less than a quarter of companies are spending even near that much.
What Was Revealed in the Report?
In a report by the International Data Corporation (IDC) that focused on Canadian companies’ security budgets, some startling statistics were revealed. The IDC, which is a global provider of market intelligence in information technology, surveyed over 200 Canadian companies. In the survey, they calculated that while the average company spent a little under 10% on IT security, the budget was mixed and varied dependent upon the company. The report states that the majority of businesses’ data security budget was subject to how smart that company’s methodology was at combating hacking.
IDC broke down the Canadian firms they surveyed into four main groups:
Egotists
17% of the businesses surveyed are what the IDC labeled as Egotists. This group has a grasp on security, spending about 12% of its IT budget on security. However, the IDC points out that even though these Canadian companies are doing some things right, their overconfidence could easily be their downfall.
Realists
Nearly a quarter of the companies fell into what the IDC labeled as the Realist category. Realist’s cybersecurity budgets are the highest, spending around 14% of their money on IT solutions. These organizations understand that a constant battle must be waged against hackers, and they can never let their guard down. They devote a lot of energy to analyzing and comparing their performance to that of their industry peers.
Denialists
The highest percentage, 37% of companies surveyed, tend to bury their head in the sand when it comes to cyber security. Their goal is to focus on installing new technologies in an attempt to solve the security problem instead of investing in processes that are secure. They also fail to train their staff about cyber security, which leads to more employee caused hacks.
Defeatists
About 25% of the firms examined fell into what the IDC says is the worst of all the categories—the Defeatists. They’re terrible at security, and they fully admit to their failures. Their strategy leans mostly on throwing a small budget at the wall and seeing what sticks. They tend to spend an average of only 6% of their IT budget on security, since they don’t think anything is really going to work anyway.
Which Type of Companies Spend the Most on Cyber Security?
The IDC reports that the three industries who will spend the most on security solutions in 2018 are banking, discrete manufacturing, and the federal government. These three groups will spend more than $27 billion combined.
The four industries that will see spending greater than $5.0 billion this year are process manufacturing, professional services, consumers, and telecommunications. The IDC also reports the industries that will encounter the fastest spending increase over the 2016-2021 forecast period will be telecommunications, education, state and local governments, and the resource industries.
How Much Should Be Spent on Cyber Security Awareness?
The IDC’s survey pointed out the importance of training the company’s non-technical employees. On average, results of the IDC survey revealed the companies that fell into the realist category spent about 24% of their IT security budget on employee awareness and education. They understand that employees are the weakest link when it comes to cyber security. People who are not well-trained to spot phishing schemes will click on suspicious links that could cripple your entire IT infrastructure.
How is the Spending on Cyber Security Broken Down?
The IDC strongly points out that not every dollar with a security benefit inevitably shows up in a company’s security budget. For example, a company might purchase a tool to locate network anomalies. This would fall under a clear security-related purchase. However, if the tool isn’t integrated into a wider detection and mitigation process within the company, it most likely won’t be effective for improving the company’s internet security.
An example of this is the attack against retail giant, Target’s point-of-sale (POS) systems in 2013/2014. The system triggered alarms, but Target’s information security team chose to ignore the warnings and not follow-up on the spotted activity. This inaction resulted in the loss of tens of millions of credit card numbers and hurt the store’s reputation with its loyal customer base.
On the other hand, an IT department that budgets for designing a system of repeatable and automated processes before it invests in high-level detection tools is causing their infrastructure to be more secure, even if the chief purpose is system efficiency. It isn’t clear what portion of that shows up as a security line item or falls into another category.
Conclusion
There’s too much at stake these days not to stay on top of IT security for your Canadian business. Educate employees; invest in the best IT security solutions. Stay on top of what’s going on in the world of cyber security. Not spending enough on cyber security should not even be considered. But neither should spending money on fancy cyber security tools with no clear methodology or IT plan in place.
by Felicien | Sep 6, 2018 | Education
What is PMKID?
Pairwise Master Key Identifier (PMKID) is a type of roaming feature in a network. Recent improvements in hacking have been targeting it for exploitation in vulnerable processes, thereby demanding that ongoing security efforts better address it and its affected procedures.
New wi-fi hacking strategies have been using coding and processes that have made it easier for hackers to learn user passwords for a wide range of router types that are commonly used in homes and businesses. Specifically, processes targeting PMKID zero in on internal network protocols with its features enabled, bypassing critical processes. The method was initially discovered by accident, in an assessment of developments in WPA3 security standards, with the exploitations realized to be potentially applicable to existing security systems.
What Security Vulnerabilities Are Concerning?
Online sources including The Hacker News report that hackers have used the approach successfully to gain pre-shared key (PSK) user account login passwords, which they have then used to hack the wi-fi networks of their victims. This has led to hackers penetrating even further into user databases to gain or misuse other information. While earlier methods have demanded that hackers stand by while waiting for their targets to log in to the network and acquire a complete four-way authentication handshake of EAPOL, the PMKID approach does not require this.
This approach, therefore, makes it easier for hackers to access sensitive information, since they can instead use the Robust Security Network Information Element (RSN IE) with a single Extensible Authentication Protocol over LAN (EAPOL) after making a request from their access point. This is also significantly more efficient and with higher potential for multiple attacks from a single point.
Generally, a successful attack occurs in three steps, which may or may not be followed by the subsequent abuse of personal or otherwise sensitive information. In the first step, the hacker uses a tool such as hcxdumptool to make a request to the PMKID. The PMKID is thereby asked, from the hacker’s point, and the hacker can use the tool to prepare to dump information received to a file for future access and misuse.
In the second step, the tool is used to process frame output, converting it to a hash format for future acceptance. In the third step, a tool such as Hashcat can be used to crack the WPA PSK password, at which point the hacker has the potential to access the personal information of users.
Researchers have been vague in terms of the specific routers involved and the extent of routers most vulnerable to PMKID attacks. The general method seems to be most threatening in 802.11i/p/q/r networks with their roaming functions enabled. This, unfortunately, describes most current routers, while WPA3 developments have only recently begun to counter aspects of the fundamental nature of the vulnerabilities.
The Hacker News reports that WPA3 is a new form of security protocol that is required to address previous WPA2 vulnerabilities that have been increasingly exploited despite smaller non-version-specific security developments. Newer developments employ a new framework that includes features that cannot be encompassed by these smaller software and security upgrades, demanding foundational improvements. An example of a foundational technological improvement is the establishment of Simultaneous Authentication of Equals (SAE).
In addition to the nature of the vulnerability, as is common with modern hacking potentials, access to directions in a PMKID attack are readily available online. SecuredYou is an example of one of many online sources that walk users through potential attacks. According to this source, in an optimized approach, users should first request PMKID from the router, install hcxdumptool and hcxpcaptool, and make network requests for recording through additional described steps.
Other online sources, including the Latest Hacking News and The Register, report that such an approach can be currently used for success in 10 minutes or less on most networks, depending on the extent of active network traffic. Hacking has never been so easy for predators.
What’s Been Happening In Research And Development?
Software and security protocol developers have been addressing the issue most directly through WPA3 and network security strategy research and development. One recent patent has attempted to address and improve an aspect of vulnerability by enhancing an extensible authentication protocol re-authentication protocol (EAP-RP) framework in message transition.
Another recent patent has targeted the way network information is configured and authenticated while maintaining PMKID in addition to a basis on a transient identity key pair provided to other access points. Such developments may benefit users more quickly or to greater extents than the implementation of WPA3.
What’s The Bottom Line?
PMKID attacks do not require the same waiting times.
The potential detriment is high.
WPA3 technology can counter the attacks.
Other non-WPA3 patents/developments may work but should be tested first.
