Password Management

Survey Reveals Bad Cyber Hygiene and Poor Password Practices are Commonplace

Most Americans are confident about their knowledge of cybersecurity according to a recent AT&T survey of 2,000 Americans, yet bad cyber hygiene and poor password practices are still commonplace. The survey was conducted by OnePoll on behalf of AT&T and found that 70% of respondents felt they were knowledgeable about cybersecurity with 69% saying they were confident in their ability to be able to identify suspicious websites at a glance, yet the average person still lands on a suspicious online site or social media account 6.5 times a day.

When questioned about Internet use, only 39% of respondents said they knew that websites could spread malware to their computers and just 45% said they were aware that suspicious sites can lead to identity theft. 54% did not know the difference between an active threat – one that requires some user action – and an inactive threat – where a device is attacked without any user action.

Despite thinking they could identify suspicious websites, such as unverified sites, HTTP sites, and sites that have many pop-ups, the potential security risks from accessing those sites were often ignored. 38% of respondents said they visit those sites for streaming sporting events, 37% use the sites to download songs and video games that are hard to find, and 36% said they would visit those sites if they offered good discounts on purchases.

The risks from bad cybersecurity practices are not just theoretical. Poor cyber hygiene is exploited by threat actors and frequently allows accounts to be compromised. When asked about threat encounters, 45% of respondents said they had received a phone call from someone claiming to be from the government and 36% of respondents said they would respond to a communication if it appeared to have come from an official organization.

Less than 40% of people consider the security risks of accessing the Internet such as potential device or network intrusions, malicious apps, or malware downloads, and the number of respondents that take password security risks is concerning. One of the biggest password security mistakes is using the same password on multiple accounts. In the event of a data breach at one company in which passwords are obtained, a credential stuffing attack could be conducted that would allow access to all other accounts where that password has been used. 42% of respondents said they reuse passwords across multiple accounts.

The best practice for creating passwords is to use a combination of upper and lower-case letters, numbers, and symbols, and to avoid using personal information in passwords. 31% of respondents admitted to using a birthday as their password, even though that information will be known to many people and can even be found on social media profiles. The survey also revealed that 34% of people are reactive rather than proactive about password security, and would only change a password if they received a security alert about an attempt that had been made to access their account from an unrecognized IP address. These bad password practices persist even though most people claim to be knowledgeable about cybersecurity, and password managers are widely available for free or at a low cost that can greatly improve password security.

These bad cyber practices should be a cause of concern for employers. If individuals are lax about personal security despite knowing the risks of identity theft and fraud, it is likely that those poor practices might also occur in the workplace. Employers should ensure they provide regular security awareness training to explain to their employees how taking risks such as these can put the organization at risk.

The post Survey Reveals Bad Cyber Hygiene and Poor Password Practices are Commonplace appeared first on HIPAA Journal.

Study Reveals Top Websites Fail to Follow Password Best Practices

A peer-reviewed study conducted by researchers at Princeton University explored the password policies of the most popular English Language websites and found that only 13% of the websites followed all appropriate best practices.

The researchers reverse-engineered the password policies of 120 of the leading websites based on visitor numbers and sought to establish whether password best practices were being followed. They attempted to set 40 of the most commonly leaked passwords for accounts, such as abc123456 and P@$$w0rd, determined if the websites imposed any character-class requirements (at least one upper- and lower-case letter, number, symbol), and if a password strength meter was provided to help users set strong passwords OR if they allowed passwords of less than 8 characters.  Only 15 of the 120 websites followed all of these best practices. 105 of the websites failed on one or more of those requirements, which put users at risk of password compromise.

59% of the websites did not perform any checks of passwords, which meant that all 40 of the commonly used passwords were permitted. 75% of the websites did not prevent users from setting more than half of the tested weak passwords. Only 19% of the websites used password strength meters, and 10 of the 23 websites that did have password strength meters nudged users toward specific types of characters and did not incorporate any notion of guessability.

The latest password advice from NIST is not to force users to set passwords containing specific character classes, as while this does in theory force users to create strong passwords, in practice this requirement weakens passwords as people tend to take shortcuts and use easily guessable passwords. 45% of the tested websites forced users to use certain character sets. All password policies for the 120 websites were found to perform poorly for security and usability.

A password is often all that stands between a malicious actor and highly sensitive data. It is therefore important for website owners to follow password best practices to help users secure their accounts. You can view the researchers’ recommended password practices here. The findings of the study will be presented at the Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) next month.

The post Study Reveals Top Websites Fail to Follow Password Best Practices appeared first on HIPAA Journal.

World Password Day 2022 – Password Tips and Best Practices

Thursday, May 5, 2022, is World Password Day. Established in 2013, the event is observed on the first Thursday of May with the goal of improving awareness of importance of creating complex and unique passwords and adopting password best practices to keep sensitive information private and confidential.

Passwords were first used to protect accounts against unauthorized access in computing environments in the 1960s. In 1961, researchers at the Massachusetts Institute of Technology (MIT) started using the Compatible Time-Sharing System (CTSS). The system ran on an IBM 709 and users could access the system through a dumb terminal, with passwords used prevent unauthorized access to users’ personal files.

The system is widely believed to be the first to use passwords and was also one of the first to experience a password breach. In the mid-1960s, MIT Ph.D. researcher Allan Scherr needed more than his allotted 4-hour CTSS time to run performance simulations he had designed for the computer system. He discovered a way to print out all passwords stored in the system and used the passwords to gain extra time.

Passwords are now the most common way to secure accounts and while passwordless authentication, such as biometric identifiers and Single Sign-on, are becoming more popular, in the short to medium term passwords are likely to remain the most widely used way of authenticating users and preventing unauthorized account access.

The Importance of Creating Strong Passwords

The use of passwords carries security risks, which World Password Day aims to address. One of the most common ways for hackers to gain access to accounts is to use stolen passwords. Phishing is used to target employees and trick them into disclosing their passwords, either via email, phone (vishing), or text message (SMiShing). Adopting 2-factor authentication will help to stop these attacks from succeeding. According to Microsoft, 2-factor authentication blocks more than 99% of automated attacks on accounts.

Hackers also use brute force tactics to guess weak passwords and take advantage of default credentials that have not been changed. If rate limiting is not implemented to lock accounts after a set number of failed login attempts, weak passwords can be guessed in a fraction of a second. Even strong passwords can be guessed in seconds or minutes if they are not sufficiently long.

In 2020, Hive Systems published a chart showing the time it takes for a hacker to brute force a password using a powerful, commercially available computer, and each year the table is updated to account for advances in computing technology. The chart clearly demonstrates the importance of creating strong passwords that include a combination of numbers, symbols, and upper- and lower-case letters, and ensuring passwords contain enough characters.

How Long Does it Take a Hacker to Brute Force a Password

How Long Does it Take a Hacker to Brute Force a Password in 2022. Source: Hive Systems.

Password Management Shortcuts Weaken Security

Creating and remembering long, complex passwords is difficult for most people, and it is made even harder due to the need to create passwords to protect multiple accounts – A study by NordPass suggests the average person has around 100 passwords. Many people struggle to create and remember more than one strong and unique password, so with so many accounts to secure it is unsurprising that people take shortcuts, but those password management shortcuts weaken password security.

It is common for users to avoid creating unique passwords and use the same password for multiple accounts, but if one password is compromised, either through brute force tactics, a phishing scam, or another method, all other accounts that use that password are at risk. Changing passwords slightly by adding a number or substituting characters for different accounts isn’t much more secure, and will leave accounts susceptible to brute force attacks, and writing down passwords is never a good idea.

Many businesses have implemented minimum complexity requirements for passwords, stipulating a minimum password length and composition requirements, yet it is common for employees to take shortcuts to make passwords easier to remember. It is possible to create a password that meets minimum complexity requirements yet is still incredibly weak, as the above chart shows.

Global Password Management Survey Reveals Poor Password Management Practices

The 2022 Global Password Management Survey conducted by password management solution provider Bitwarden ahead of World Password Day has revealed the password habits of Americans. While it is reassuring that 98% of Americans said they were very or somewhat familiar with password security best practices, it is a concern that 31% have experienced a data breach in the past 18 months. That is perhaps no surprise considering the survey revealed 85% of Americans reuse passwords on multiple websites.

60% say their average password length is between 9 and 15 characters (the starting point for a secure password is now considered to be 14 characters) and 49% of Americans said they rely on their memory for managing passwords, which suggests that passwords may not be particularly strong. That is clearly not the best approach considering 24% of U.S. respondents said they need to reset at least one password every day or multiple times a week. 32% write their passwords down, 23% store them in a document on their computer, and 20% store them in email accounts.

Only 30% use a password manager, which is widely considered to be the best tool for creating strong passwords and storing them securely. Password managers have strong password generators that can be used to generate truly random strings of characters for passwords that are resistant to brute force attacks, and store passwords in an encrypted vault.

Despite password managers offering businesses an easy way to improve password security, only 32% of Americans said they are required to use a password manager at work, although 68% of Americans think their employer should provide a password manager for use in the workplace.

“Despite the documented effectiveness and low cost of password managers, workplaces surprisingly often leave employees to figure password management out themselves,” said Bitwarden CEO, Michael Crandell. “Employers should pay heed to the fact that employees want to be protected.

Password Security and Management Tips

World Password Day 2022 is the perfect time to assess password security and take steps to ensure that all accounts are properly secured with strong and unique passwords, and start following password best practices:

  • Ensure a strong, unique password is set for all accounts
  • Use a combination of upper- and lower-case letters, numbers, and symbols in passwords
  • Use easy to remember passphrases rather than passwords, that have a minimum of 14 characters
  • Never reuse passwords on multiple accounts
  • Don’t use information in passwords that can be found in social media profiles (DOB, spouse or pet name etc.) or is known to others
  • Ensure 2-factor authentication is set up, especially for accounts containing sensitive data
  • Use a secure password generator to generate random strings of characters
  • Avoid using dictionary words and commonly used passwords
  • Use a password manager for creating strong passwords and secure storage, and set a long and complex passphrase for your password vault.

The post World Password Day 2022 – Password Tips and Best Practices appeared first on HIPAA Journal.

Why Healthcare Workers should be Using a Password Manager

Healthcare workers access electronic Protected Health Information (ePHI) on a daily basis – most often via the use of password-protected EHRs. In order to mitigate the risk of ePHI being hacked, compromised, or unavailable due to a cyberattack, healthcare workers should be using a password manager that generates, stores, and auto-fills complex passwords.

Earlier this year, HHS issued a threat brief warning about the risks to ePHI stored in EHRs. The brief identified the top five threats against EHR as phishing attacks, malware and ransomware, encryption blind spots, cloud threats, and the misuse of credentials by employees. It also reported that the most common cause of healthcare data breaches in 2021 was compromised credentials.

According to the 2021 Data Breach Investigations Report, credentials are most often compromised by brute force attacks on weak passwords and phishing. Therefore, the best way to protect ePHI in EHRs is to use complex passwords and reinforce login credentials with two-factor authentication so that, if login credentials are exposed in a phishing attack, phishers cannot get into EHR systems.

Why Healthcare Workers should be Using a Password Manager

The Issue with Complexity and 2FA

Remembering complex passwords that use a combination of upper- and lower-case letter, numbers, and special characters is difficult. In addition, complex passwords take longer to key into an EHR than short numeric or alphabetic passwords. Therefore, even if a healthcare worker remembers their password, the additional seconds keying the complex password into an EHR could make the difference between life and death in a medical emergency.

The issue with reinforcing login credentials with two-factor authentication (2FA) is that the time between attending a patient and accessing their EHR can be further extended if a healthcare worker has to wait for a One Time Passcode (OTP) to deactivate 2FA access controls. Any delays or mistakes entering the code can have serious consequences if a healthcare worker becomes stressed (in an already stressful situation) and mistakes are made treating the patient.

How to Overcome these Issues

The way to overcome these issues is with a password manager that generates, stores, and auto-fills complex passwords and that supports Authenticator Apps. The password manager is deployed on the EHR so that, when a healthcare worker needs to access a patient´s ePHI, they do so by logging into the password manager with their master password. The password manager auto-fills the healthcare worker´s login credentials for the EHR and generates an OTP passcode.

The process takes as long as entering a weak password (because master passwords are usually long passphrases that are easier to remember than complex passwords) and has the security advantage that healthcare workers have to physically copy and paste the OTP into the login field (usually with a click of a mouse or swipe of a screen). Therefore, as mentioned above, if login credentials have been exposed in a phishing attack, phishers cannot get into the EHR systems.

Which Password Managers have these Capabilities?

Most vault-based password managers with cross-platform synchronization have the capabilities to generate, store, and auto-fill complex passwords. Some have better support for Authenticator Apps than others; and, with regards to Authenticator Apps, it is better to use an app that generates “rolling” Timed One Time Passcodes (TOTPs). This is because, although the passcode refreshes every thirty seconds, a code is always instantly available to be copied and pasted into the login field.

The significance of cross-platform synchronization is that patient EHRs have to be accessed from multiple locations, and the devices in these locations might not all run on the same operating system or use the same browser. Consequently, password managers such as Bitwarden are ideal for securing healthcare worker´s login credentials and protecting the confidentiality, integrity, and availability of ePHI. The Bitwarden password manager also meets the HIPAA password requirements.

Closing Thoughts on Why Healthcare Workers should be Using a Password Manager

Most of the preceding text has focused on protecting ePHI maintained on EHRs by replacing weak, hackable passwords with complex passwords, and mitigating the risk of exposing login credentials in phishing attacks. But there is another reason why healthcare workers should be using a password manager – to protect personal data when using employers´ computer systems.

One of the most surprising statistics to come out of the 2021 Data Breach Investigation Report was that 66% of the data compromised in healthcare data breaches was personal data – not medical data. The report attributes this apparent anomaly to medical data being more stringently protected than other data and attackers simply taking what they can when the opportunity presents itself.

Consequently, even if healthcare organizations do not deploy password managers to protect ePHI maintained on EHRs, healthcare workers should be using a password manager to protect their own login credentials, payment details, and other sensitive data that could be used by a hacker to commit identity fraud. This article provides a comparison of the best free and low-cost options.

The post Why Healthcare Workers should be Using a Password Manager appeared first on HIPAA Journal.

Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint cybersecurity advisory warning that Russian state-sponsored actors are exploiting default multi-factor authentication protocols and the PrintNightmare vulnerability to gain access to networks to steal sensitive data.

These tactics have been used by Russian state-sponsored cyber actors from as early as May 2021, when a non-governmental organization (NGO) was attacked using these tactics. The threat actors were able to gain access to the network by exploiting default multi-factor authentication protocols (Cisco’s Duo MFA) on an account. The threat actors then exploited the PrintNightmare vulnerability to execute code with system privileges and were able to move laterally to the NGO’s cloud and email accounts and exfiltrated documents. PrintNightmare is a critical remote code execution vulnerability (CVE-2021-34527) in the print spooler service of Microsoft Windows.

The attackers were able to enroll a new device in the NGO’s Duo MFA using compromised credentials, which were obtained in a brute force attack that guessed a simple, predictable password. The account had been unenrolled from Duo after a long period of inactivity but had not been disabled in Active Directory. In the default setting, Duo allows the re-enrollment of new devices for dormant accounts, which allowed the attackers to enroll a new device, complete the authentication requirements, and gain access to the network. The PrintNigthtmare vulnerability was then exploited and privileges were elevated to admin level.

The threat actors were able to change the configuration of Duo MFA to call localhost rather than the Duo server, which disabled multi-factor authentication for active domain accounts, as the default policy of Duo on Windows is to Fail open if the MFA server cannot be reached. Using compromised credentials without MFA enforced allowed the threat actors to move laterally to the NGO’s cloud environment and email accounts.

Russian state-sponsored actors are adept at exploiting poorly configured MFA systems to gain access to networks to steal sensitive data. These tactics can be used on other misconfigured MFA systems. These tactics do not depend on a victim using Cisco’s Duo MFA.

CISA and the FBI have provided a list of mitigations to prevent these tactics from succeeding. It is important to set strong, unique passwords for all accounts and passwords should not be stored on a system where an adversary may have access. Consider using a password manager. These solutions have strong password generators which can help to prevent users from setting vulnerable passwords. To make it harder for brute force attacks to succeed, organizations should implement time-out and lock-out features after a set number of failed login attempts.

The FBI and CISA say MFA should be enforced for all users, without exception. However, before implementing MFA, configuration policies should be reviewed to protect against fail open and re-enrollment scenarios. Inactive accounts in Active Directory and MFA systems should be disabled, network logs should be monitored for suspicious activity and unauthorized or unusual login attempts, and software and operating systems should be kept up to date, with patching prioritized to address known exploited vulnerabilities first.

The post Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability appeared first on HIPAA Journal.

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.

Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw

An advanced persistent threat (APT) actor has been conducting an espionage campaign that has seen the systems of at least 9 organizations compromised. The campaign targeted organizations in a range of critical sectors, including healthcare, energy, defense, technology, and education.

The campaign was identified by security researchers at Palo Alto Networks and while the identity of the hacking group has yet to be confirmed, the researchers believe the attacks were most likely conducted by the Chinese state-sponsored hacking group APT27, aka Iron Tiger, Emissary Panda, TG-3390, and LuckyMouse based on the use of hacking tools and techniques that match previous APT27 activity.

The campaign exploited a critical vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, an enterprise password management and single sign-on solution developed by Zoho. Successful exploitation of the flaw allows remote attackers to execute arbitrary code and take full control of vulnerable systems.

On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory warning exploits for the flaw were in the public domain and being used by APT actors to install web shells on vulnerable servers to gain persistent access.

Palo Alto Networks said a second campaign was then identified that involved extensive scans for vulnerable servers using leased infrastructure in the United States. Vulnerable systems that had not been patched against the vulnerability started to be attacked from September 22, 2021, with those attacks continuing throughout October.

The attackers deployed a web shell called Godzilla, with a subset of victims also having a new backdoor called NGlite installed. The backdoor or web shell was then used to run commands and move laterally within victims’ environments, with sensitive data exfiltrated from victims’ systems. When the attackers located a domain controller, they installed a new credential-stealing tool dubbed KdcSponge, and harvested credentials and exfiltrated files such as the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry.

Palo Alto Networks said its scans indicate there are currently around 11,000 servers running the Zoho software, although it is unclear how many of them have been patched against the CVE-2021-40539 vulnerability. The researchers said the APT group attempted to compromise at least 370 Zoho ManageEngine servers in the United States alone.

The post Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Put Cybersecurity First

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First”, with the focus on getting the message across to businesses about the need for cybersecurity measures to address vulnerabilities in products, processes, and people.

Cybersecurity Advice for Companies

One study suggests 64% of companies worldwide have experienced some form of cyberattack and the rate at which attacks are occurring is increasing. It is essential for companies to ensure that cybersecurity measures are incorporated when developing apps, products, or new services and for cybersecurity to be considered at the design stage. Safeguards need to be baked into products from the start. Cybersecurity should not be an afterthought.

Businesses need to have a thorough understanding of their IT environment and what assets need to be protected. An inventory should be created for all assets and the location of all sensitive data should be known. A plan then needs to be developed to protect those assets, which should include overlapping layers of protection using technologies such as firewalls, spam filters, web filters, antivirus software, endpoint detection systems, encryption software, and backup solutions. Patch management is also key. Software and firmware updates should be applied promptly, with priority given to patching the most serious vulnerabilities.

Businesses should adopt a mindset of a cyber breach being inevitable, which means they need to know how they will respond to an attack when it occurs. A business continuity plan should be developed and tested. The plan should include emergency protocols while systems and data are inaccessible, the restoration of systems and data, communication with stakeholders, compliance, and reporting breaches to appropriate authorities. Having an incident response plan in place ensures the business can continue to function in the event of a cyber breach and it will greatly speed up the recovery time and help to keep breach costs to a minimum.

FBI Raises Awareness of the Ransomware Threat

This week, the Federal Bureau of Investigation (FBI) is raising awareness of the threat from ransomware. Ransomware is a type of malware used to encrypt files to ensure they cannot be accessed. A ransom demand is then issued for the keys to decrypt files, although there are no guarantees that file recovery will be possible even if the ransom is paid. It is also now common for sensitive data to be stolen before file encryption, with threats issued to publish or sell the data if the ransom is not paid.

Access to computers and networks is gained by exploiting vulnerabilities, conducting brute force attacks to guess weak passwords, and most commonly, through phishing emails. Links are sent in emails that direct users to websites where they are asked to provide their login credentials or download files containing malware. Oftentimes attachments are included in emails that have macros and other scripts that download malware that provides the attackers with persistent access to devices and networks.

Steps recommended by the FBI to avoid ransomware attacks include keeping software up to date, applying patches promptly, using anti-malware software on all devices, backing up data regularly and storing backups offline, and educating employees about how to identify phishing emails and other threats.

Security awareness training for the workforce is vital. Employees are the last line of defense and they are often targeted by cybercriminals. Employees should receive security awareness training during the onboarding process and should be provided with the tools they need to help them keep their company safe, with training regularly provided throughout employment.

Cybersecurity Advice for Individuals

Individuals are being encouraged to take greater care when using products and services to ensure that cybersecurity best practices are followed. That process needs to start before any purchase is made, with cybersecurity considered before signing up for a new service or buying a new product to ensure the company is legitimate.

When new devices, apps, or services are used, individuals should consider applying measures to secure their accounts and check privacy and security settings. Default passwords should be changed with strong, unique passwords set for all accounts. A password manager should be considered as this will help with the generation of secure passwords for all accounts and will mean users do not have to remember complex passwords. It is also important to set up multi-factor authentication on all accounts to ensure they remain protected if passwords are compromised.

The post Cybersecurity Awareness Month: Put Cybersecurity First appeared first on HIPAA Journal.