by Felicien | Aug 16, 2018 | Education
What Do We Know About Terminal Fault (L1TF) Chip Vulnerabilities?
Understanding The L1 Terminal Fault (L1TF)
Intel has recently confirmed L1 Terminal Fault (L1TF) chip vulnerabilities in its processors that can be manipulated by malware and malevolent virtual machines with the intention of stealing private information from a computer’s memory.
Who or What is Vulnerable?
In short, Intel’s desktop, workstation, and server CPUs are exposed. What Intel initially described as impregnatable memory, has been found to have holes. That means sensitive data from other software and other customers’ virtual machines can be stolen from malicious software and guest virtual machines either on a vulnerable device or a cloud platform.
This private information may involve personal and financial accounts, passwords, and encryption keys. Also, they pose a threat to be taken from other customers’ virtual machines, including both System Management Mode (SMM) memory and SGX enclaves.
SGX, made by Intel technology, is intended to guard private information from code geared to peep and pry.
SMM serves as a computer’s clean-up operator. This is an alternate software system that is usually placed in the computer’s firmware. It also has total control over the computer’s hardware and absolute admittance to all of its data.
Let’s break down the three areas, which Intel has named its L1 Terminal Fault (L1TF) bugs:
CVE-2018-3615
CVE-2018-3615 impacts Software Guard Extensions (SGX). More specifically, Intel says, “Systems with microprocessors utilizing speculative execution and software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis.” The researching teams who discovered CVE-2018-3615, named the vulnerability, Foreshadow.
The Fix:
Fixing this vulnerability will require the microcode update. To be safe, it is also recommended that you update your operating system and VM hypervisor. The patches should be available now for just about all operating systems.
This bug was discovered by two different groups:
Jo Van Bulck, Frank Piessens, Raoul Strackx from imec-DistriNet – KU Leuven.
Marina Minkin, Mark Silberstein from Technion, Ofir Weisse, Daniel Genkin, Baris Kasikci, Thomas F. Wenisch from The University of Michigan, and Yuval Yarom from University of Adelaide and CSIRO’s Data61.
CVE-2018-3620
According to Intel, “Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.” In short, CVE-2018-3620 affects operating systems and SMM.
The Fix:
To fix this, operating system kernels will need to be patched. Also, the SMM needs the microcode update, to be safe.
CVE-2018-3646
Intel states, “Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis.” CVE-2018-3646 affects hypervisors and virtual machines.
The Fix:
Fixing CVE-2018-3646 will require the microcode, operating system, and hypervisor updates in order to protect your data.
Extra Fix:
The way hypervisor software operates is by allowing virtual machines or processors to be run off shared resources of a physical server. At the same time, they use multi-threading – a technique by which a single set of code can be used by several processors at different stages of implementation. Intel calls this Hyperthreading, and it can split one of its cores to act like two separate processors of the multi-core CPU for the hypervisor. This technique creates what Intel calls “sibling threads.”
Since these threads share a pool of L1 cache memory attached to the core, a malicious guest, on one of the virtual processors, could manipulate the third variant of the L1 Terminal Fault and get data used by the other sibling thread.
Even though the virtual processor will recognize this and deny the request of the hacker, if the data is in the cache at the same time, it can be revealed to the hacker.
Both CVE-2018-3620 and CVE-2018-3646 were discovered by Intel’s engineers after the university researchers who discovered “Foreshadow” informed Intel about CVE-2018-3615, the SGX issue.
The Ultimate Fix
The real fix to all these problems will be made by replacing the processors. As Intel stated, when addressing L1TF, “These changes begin with our next-generation Intel Xeon Scalable processors (code-named Cascade Lake), as well as new client processors expected to launch later this year.”
For now, the best advice is to keep patching and be aware of any changes you see in the area of performance and speed with the patches.
by Felicien | Aug 16, 2018 | Education
As providers are all too well aware, their payments from Medicare are affected by their score in the Merit-based Incentive Payment System (MIPS). MIPS imposes a number of requirements; if these are not met, payments may be reduced or denied.
The MIPS requirements apply to all Medicare claims, even those whose performance is not necessarily affected by a MIPS constraint. Among these universal requirements is the meaningful use of electronic health records (EHRs). Within the EHR requirements, we have the promotion of interoperability with other EHR systems, and within that, we have the security requirements. Among the security requirements is an annual security risk assessment.
What Has Changed?
In the Federal Register of July 27, 2018, the Centers for Medicare and Medicaid Services (CMS) proposes that the current security risk assessment requirement in MIPS be replaced. The suggested replacement will be an attestation to the activities included in the security risk assessment standard that has been performed in the past MIPS year.
This essentially switches the scoring of the security risk requirement from the equivalent of a numeric grade to a pass/fail scoring system. A practice or institution passes if it has done the assessment; how well it has done on the assessment falls by the wayside. The requirements are stated in a bare-bones fashion in the Code of Federal Regulations at 45 CFR 164.308.
CMS states that their rationale is, in part, a result of the realization that a risk assessment is done well, or not at all.
What A Serious Risk Assessment Entails
The thinking behind this can be found in the Office of Civil Rights (OCR) newsletter for April 2018. This newsletter distinguishes a gap analysis (“find the holes”) from a security risk assessment (“make sure there are no holes”). It is a highly useful guide to discerning the scope and the level of effort required for a serious risk assessment.
An article on the HHS website goes into greater detail explaining what is subject to the security rules and why:
All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.
The guidance issues from OCR noted that the CFR requirements are divided into two categories: required and addressable.
The addressable requirements are not optional. Rather, if the approach specified in an addressable requirement is not feasible, the provider organization must develop an effective alternative to approach to achieve the same end and document this. The tendency to document-but-not-implement should be firmly resisted.
Did You Really Do A Risk Assessment?
Experts suggest that OCR has significantly underestimated the time required to do a serious risk assessment. Obviously, you have to look at hardware-associated risks. Are the BIOS files in your desktops and laptops updated? Has router firmware been updated?
You must take a hard look at software-associated risks as well. Are operating systems patched? You must strategically assess administrative risks: are you enforcing complex password requirements? Are you using biometric identifiers? Is data access truly on a need-to-know basis?
A Helicopter-Level View Is Not Adequate
The reader may protest that those concerns are nowhere to be found in the guidance. True. The point is that an adequate risk assessment will have revealed these as questions that need to be asked on a day-to-day operational basis. A risk assessment that is not dynamic misses all the critical points of vulnerability.
A risk assessment should point out any unnecessary risks and then offer a solid plan to eliminate them. It’s good to remember that the whole point of the endeavor is to make sure that the government (and all organizations) move toward better Internet and network security. With cyber breaches occurring on almost a daily basis, there’s every need to be more cautious about how we handle, store, and transmit Big Data.
The current cost of a data breach has reached between $1.3 million and $3.5 million. The number one most sought-after data that hackers are vying for is healthcare information. On the Dark Web, 30,000 up-to-date healthcare records will fetch a pretty price.
Conclusion
Under this proposed rule change, you will no longer be given a percent of compliance score on your risk assessment. You will simply be in or out of compliance. The upside is less administrative hassle; all you have to do is carry out the activities and attest that you did this. The downside is that this may lead to a relaxation of vigilance at a time when threats are constantly increasing.
by Felicien | Aug 15, 2018 | Education
Hackers are constantly throwing in new and clever phishing attacks that threaten email users’ security. KnowBe4, one of the top security attentiveness and simulated phishing platform contributors recently issued the top 10 phishing email subject lines from this year’s second quarter. Please note, the attacks used most often contain email subject lines that relate to a user’s passwords and security warnings.
An estimated 1 out of 3 people will open a phishing email each day. This tricky way of gathering people’s personal and financial information is getting bigger, despite all the warnings from technology experts.
What is Phishing?
Phishing is a technique that hackers practice to steal personal information, like credit card info or login authorizations. The hacker replicates an existing login page from an online service such as Dropbox, Apple, Gmail or your financial institution. This made-up website holds a code that delivers all the personal data you submit directly to the hacker. To lure you to the bogus website, hackers send a believable email to you. Quite often, the email sent to you will ask you to log in to your bank account because your bank has exposed a transaction that you did not authorize.
Hackers can make these emails look and sound real and their exploits have been very successful. They often use fear. The email will make it sound like you need to take action NOW! So without really checking, the victim clicks the bad link and continues to the bogus landing page where they give the cyber thief their log-in and password information.
Why is Phishing a Concern?
It is reported that consumers, businesses, and organizations will lose an estimated $9 billion in 2018 globally. With so much personal information tied to finances now shared online, hackers use phishing in order to illegally steal your money.
The Anti-Phishing Working Group (APWG) latest quarterly release reported:
Over 11,000 phishing domains were created in the last quarter alone.
The number of phishing sites rose 46% over the previous quarter.
The practice of using SSL certificates on phishing sites continues to rise to lure users into believing a site is legitimate.
Is Phishing Just a Risk for Personal Users?
Because they store a lot of files in the cloud, Phishing is also a risk for all kinds of companies: Digital design companies, financial institutions, security companies, etc. According to hackmageddon.com, there were 868 reported company security breaches or cyber-attacks in 2017.
What do Hackers need to be successful?
There are generally three things hackers do to gain access to your information:
Build an email account to send emails
Buy a domain and set up a fake website
Think of a tech company that is used often to mask itself as a legit website (Dropbox, Amazon, eBay, etc.)
What Can I Do to Avoid Phishing?
It has become increasingly difficult to guard yourself against phishing. As hard as Apple, Google, and other tech companies have worked to filter them out, hackers are always devising new ways to phish. However, here are some tips on spotting phishing emails:
Try to avoid clicking on buttons and/or links in emails.
Begin using password managers. A password manager aids the user in creating and retrieving complex passwords and storing the passwords in an encrypted database. Therefore, if hackers get one of your passwords, they can’t use it on any of your other accounts.
Don’t put total faith in the green lock icon in your address bar. This only ensures that it is a private channel but does not inform you about who you’re communicating with.
Allow 2FA (two-factor authentication). Two-factor verification is an extra layer of safekeeping otherwise known as “multi-factor authentication.” 2FA requires a password and username, and also something that only the user knows (mother’s maiden name) or has (passcode texted to another device, such as a cell phone).
Be extra cautious if the browser plugin of your password manager doesn’t show your login credentials automatically.
Be quick to report suspicious emails to your friends and colleagues. Organizations who make it easy for their employees to report attacks will see a significant decrease in cyber-attacks. The quicker an IT department can respond to a threat, it will minimize the threat potential damage inflicted on people.
Ironically, the trend for most of these phishing emails are warnings about security alerts.
Here are the top 10 from Q2:
Password Check Required Immediately (15 percent).
Security Alert (12 percent).
Change of Password Required Immediately (11 percent).
A Delivery Attempt was made (10 percent).
Urgent press release to all employees (10 percent).
De-activation of [[email]] in Process (10 percent).
Revised Vacation & Sick Time Policy (9 percent).
UPS Label Delivery, 1ZBE312TNY00015011 (9 percent).
Staff Review 2017 (7 percent).
Company Policies-Updates to our Fraternization Policy (7 percent).
by Felicien | Aug 15, 2018 | Education
If you are in a startup company or run a small business, the simplest software update can easily cause anxiety for you and your group of employees. Everyone has experienced the update that causes glitches and hiccups that can disrupt the workflow.
With that said, why should you upgrade to Windows 10? Is it worth the hassle? Let’s look at the reasons why upgrading to Windows 10 will benefit you and your team in the long run.
10 Reasons Why You Should Upgrade to Windows 10
The Need for Speed
One of the major advantages Mac has had over Windows for years is the speed at which they start up when the power button is pushed. Windows 10 has a feature called Fast Startup. How it works is when you shut down your computer, rather than just placing everything in RAM, Windows will save an image of your loaded kernel and drivers in what Microsoft calls the hiberfile. The next time the system boots up, it just reloads this file, making it boot abundantly faster.
The Return of the Start Menu
For Windows 10, Microsoft has created an updated version of the Start menu that includes the familiarity of the classic menu from older versions along with parts of the Start screen that they introduced with Windows 8.
In this newest version, you will see a left rail with buttons to access different settings and locations. On the right, there are Live Tiles, which will light up to keep you up to date.
Talk to me, Cortana
The ability to be able to talk and interact with your technology hands-free is liberating and can also be exciting. Not only can you instruct Cortana to play music or jot down notes for you, Cortana will remind you to pick up needed items using your Android iPhone and Windows Phone. Another smart feature Cortana offers is Her Notebook, which tracks your interests, giving you information, such as when your favorite band is in town, team scores, local weather, and even traffic updates for your drive to and from work.
Apps at Your Employee’s Fingertips
For those still using Windows 7, there is no way to utilize the app store. Windows 10 opens up the possibilities for your team to get software more readily to assist them with various tasks. Windows 10 makes these apps safer as well, since they now run in their own sandboxes. Utilizing social media to promote your business is easier with Windows 10 and the easy-to-use media apps, which include access at your fingertips to the following:
Photos
Videos
Calendars
Maps
Mail
Music
People
The Added Touch
Microsoft took all of the basic features from Windows 8, but then added several new ones in Windows 10. The 2-in-1 laptops with Windows 10 allow you to have both touchpads and touchscreens in one device. Microsoft is adding the touchscreen to many desktop and laptop computers.
A Call to Action
Windows 10 gives you the advantage of allowing pops-up notifications for messages, updates, and important news. The Microsoft Action Center shows messages from email, system updates and warnings, and messages and updates from apps. Sometimes the updates come at a time when you are absorbed in a project or task. When that happens, you can quickly dismiss the notification. Windows 10 gives you the opportunity to go back and see the entries you missed when you are not as busy.
A New Browser
Windows 10 comes with a brand-new browser called Microsoft Edge, which has great compatibility and speed. Tests have revealed that Edge is easier on both tablet and laptop batteries than Chrome. It is 15% more secure than Chrome as well.
Added Security
Keeping Secure Boot from Windows 8, Microsoft has made it even more secure. A specific code runs immediately when your computer starts up to make it incredibly difficult to penetrate. Windows 10 makes it so there is no way around these security measures. Windows 10 also implements Device Guard which provides better security against malware.
The Virtual Desktop Advantage
Just like on a Mac, Windows 10 lets you open multiple windows and apps at the same time. If you are multi-tasking on a work project and personal tasks, you can easily do this with Windows 10 and the virtual desktop feature.
Xbox App
Windows 10 has an Xbox app that allows you to track your online friends, while also letting you stream games from the console to the PC. Utilizing The Windows Store gives Xbox players an easy way to find and purchase games with a simplified flow between the PC and Xbox.
Wrap Up
Upgrading to Windows 10 shouldn’t be stressful or difficult. Though it does take a few minutes to perform the update, you’ll have access to some new and helpful features. In addition, your network security will be improved. Once you get the hang of it, you’ll wonder why you waited so long to make the move.
by Felicien | Aug 15, 2018 | Education
Azure Stack has commanded plenty of loyal followers since its release, and it’s easy to see why. The platform provides many of the same great benefits users found in Microsoft’s Azure. Chief among them is the impact on multi-cloud environments. Building and deploying applications have become easier than ever before, and users are now able to enjoy the same familiar, tried-and-true tools to streamline their web operations. These factors plus a wide variety of others combine to create a solid case for Azure Stack.
Before you decide if a service like Azure Stack is right for your company’s IT structure, it’s important to know what benefits you’re dealing with. Knowing the basics of Azure Stack and its usage capabilities can help you determine whether it makes sense for your unique business needs.
What is Azure Stack?
It’s an extension of Microsoft’s Azure, and helps companies combine cloud computing with on-premises environments. Consistency is key with this type of platform, as it allows companies to deliver Azure’s unique services from their own unique datacenter for consistent hybrid cloud deployments.
What Are Some Benefits of Azure Stack?
There are many benefits associated with Azure Stack. For instance, users can apply Azure web and mobile services, architectures, and containers to extend legacy applications through the use of consistent processes in the cloud and on-prem. They can also build applications with a consistent set of tools and services, then deploy those applications to the appropriate location by writing code just once.
It allows companies the flexibility to seamlessly transition workloads between private and public environments, bringing a whole new world of potential for those who have long hoped for a turnkey solution to deploying applications. While deploying new cloud applications once took hours or even days, with Azure Stack, users can deploy them in mere minutes with the use of prebuilt solutions from Azure’s Marketplace. Add-on products, such as Commvault Hyperscale, are also integrated easily with Azure Stack.
One other perk users find in Azure Stack is its payment structure. Users pay only for the services they actually use, which can also be found in Azure.
How Can Azure Stack Be Useful For Federal Agencies And Financial Service Providers?
While Azure Stack is beneficial to companies across diverse industries, its capabilities are particularly helpful in the federal agency and financial services realms. Nearly all industries must comply with some sort of financial regulations, required either by internal policies or by customers. Security-wise Azure Stack satisfies requirements that dictate sensitive data must be stored in one tightly managed location.
Among the many benefits of Azure Stack for federal agencies is the ability to provide edge and disconnected computing for remote users, such as military members in a combat zone or other areas where access to the cloud may be difficult to come by. The ability to process big data at the edge and have this data sent to one central location is highly useful to federal agencies.
Additionally, Azure Stack allows large agencies to build out private clouds to serve their internal teams, which provides specialized services both cost-effectively and securely. Azure Stack allows federal customers to remain compliant with governing regulations that call for the security of privileged and classified information, which may later be moved to a public cloud once those security requirements expire.
Adequate security is vital in the financial world, and today’s top financial organizations simply can’t afford a breach. Large financial service providers have the opportunity to host Azure Stack-as-a-service to other business units, resulting in a private cloud that becomes a consumable service. With this, business units are able to avoid the security issues that come from operating outside of a private cloud. Financial service providers are also able to now scale quickly with Azure Stack, given their ability to transition to the public cloud during times of heavy traffic.
What Are Some Azure Stack Storage Options?
When it comes to persistent storage while using Azure, developers are faced with three basic options:
Tables
Blobs
SQL Databases
The latter is a database-as-a-service that offers a variety of the same features found in SQL servers, but without the overhead of one key figure: database administration.
Tables have the capabilities to support upwards of 200TB of basic structured data. This may be a good option for those who prefer a NoSQL database, similar to that of MongoDB, but without the need to manage a data store service.
There is also the option of Blobs, short for binary large objects, which are unstructured storage objects built for the storage of binary data. It can be accessed through API commands or REST, and has about the same storage capacity as Tables.
Wrap Up
All in all, Azure Stack has proven well worth its weight in terms of convenience for developers. If its current state is any indication, there should be plenty of exciting new features to look forward to in the years to come.
by Felicien | Aug 15, 2018 | Education
GDPR and Health & Life Sciences Organizations in the US: 5 Facts You Need to Know
The European Union GDPR (General Data Protection Regulation) that was officially enacted on May 25, 2018 doesn’t just apply to organizations operating in Europe – it has a major impact here in the United States, too. And among those being impacted are health and life science organizations. Few would argue the importance of GDPR compliance, but the vast majority of those in the United States who are affected by these regulations don’t necessarily understand what it means.
What follows are five key facts about GDPR that you need to be aware of if you work in health and life sciences.
Fact #1: GDPR more broadly defines personal data than HIPAA does.
HIPAA focuses on Protected Health Information (PHI), which includes governing the use, disclosure, and protection of PHI by covered entities. As you probably already know, covered entities include health care providers and their business associates, along with service providers and third-party vendors who need access to PHI to perform their services.
GDPR, on the other hand, regulates how personal data is processed, not just PHI – and under the GDPR, almost all information is considered sensitive and therefore protected. This is a much broader definition of protected data. GDPR, therefore, also impacts much more than just the covered entities described by HIPAA. Any entity that processes the personal data (which includes maintaining, adapting, storing, transmitting, etc.) of a business or resident in the European Union falls under GDPR’s purview. Thus, the type of info protected and how it is processed under GDPR has a far broader definition.
Fact #2: GDPR differs from HIPAA in how it restricts the use and disclosure of personal data.
Both HIPAA and GDPR are structured to prohibit the use/disclosure of personal data unless there is a provision in the regulation that allows it. However, GDPR is far more restrictive than HIPAA and there are fewer exceptions to the provisions. To make matters more interesting, the GDPR is not always as clear in its guidance as HIPAA.
The GDPR affects all residents and business owners located in the European Union, and those who collect their PHI. HIPAA affects healthcare organizations located in the United States only, but there are healthcare organizations based in other countries who have offices in the US. These entities are required to comply.
Fact #3: HIPAA compliance does not mean GDPR compliance.
As you have probably guessed by now, just because you are HIPAA compliant does not mean that you are automatically GDPR compliant. As discussed, the GDPR covers much more than just PHI. However, being HIPAA compliant means that your company already has experience dealing with compliance issues and has an excellent foundation on which to build solid GDPR compliance. Just keep in mind that there are different requirements involved with GDPR.
Fact #4: GDPR can apply to US Health & Life Science Organizations.
If your organization is considered an establishment in the EU, then it must comply with GDPR. But what does it mean to have an establishment? In a nutshell, having an establishment in the EU means offering goods and services to EU residents. Even if your organization has no physical presence in the EU, or exists as an EU corporate entity, you are considered an establishment if you offer goods and services to residents of the EU.
Here’s another way your organization can be required to comply with GDPR: if you monitor the behavior of EU subjects. If EU residents go to your website and you analyze or track their behavior, this counts as monitoring the behavior of an EU resident. This is especially true if your website is aimed at EU residents, which includes factors such as using EU-specific language or currency symbols.
Fact #5: The timeframe for breach reporting is much shorter under GDPR than HIPAA.
Under HIPAA, your organization has no more than 60 days to officially report a breach to a regulatory body, the Health and Human Services (HHS) Office of Civil Rights (OCR), unless it can be demonstrated that there was a low risk that the data was actually compromised.
Under GDPR, that timeframe for making an official report to a regulatory body is shortened to just 72-hours. Under GDPR, the affected individuals must also be notified if the breach is a high risk to their rights and freedoms. Note that the focus of the GDPR is protecting the rights of the individual, while the aim of HIPAA is more about protection of the data itself.
Conclusion
Because healthcare is global, with diseases and illnesses refusing to acknowledge the existence of socio-political borders, the data related to healthcare is as well. In a very real sense, protecting our personal information including healthcare data is a global concern.
If you are part of a life science or healthcare organization in the US that has a presence on the web or works with entities (including business associates and vendors) who operate overseas, then you need to make sure that your organization is GDPR compliant. Being HIPAA compliant is an excellent foundation upon which to build GDPR compliance, but isn’t synonymous with GDPR compliance. While there are many similarities between HIPAA and GDPR, they involve very different goals and GDPR is much broader in its definitions of what constitutes protected data.
For most health and life sciences orgs, regardless of where they’re located, it’s important to understand both HIPAA and GDPR regulations. The fines and penalties for just one violation can be thousands of dollars.
