Posts Authored by S. Courter Shimeall

The need for a cybersecurity plan: Another reminder

We’ve reported on several recent cybersecurity issues confronting businesses, including when hackers took over a California hospital’s network and demanded payment as ransom, the Sony hack, the Home Depot data breach, the Anthem data breach, and the Target data breach, just to name a few. These are constant reminders from just the past year of the cybersecurity dangers lurking. 

The Washington Post provides us with another reminder that these issues aren’t going to die down any time soon. Their article, titled “The hackers that took down Sony Pictures are still on the attack, researchers say,” explains that hacking and data breaches are a constant and continuing issue. Organizations are well advised to have policies and procedures in place to prevent and respond to the present-day cybersecurity landscape. 

The article mentions a few key passages:

  • "[R]esearchers say they've linked the [Sony] attackers...to a chameleon-like group active since at least 2009 and still on the digital warpath[.]"
  • "A new report from cybersecurity firm Novetta dubs the attackers the "Lazarus Group" – a reference to a biblical figure that comes back from the dead – because it seems to rise up with new identities for different campaigns."
  • "The researchers say they've found evidence of campaigns by the group attacking targets across the government, military, financial, media and entertainment, and critical infrastructure sectors in the United States and several different countries in Asia[.]"
  • "[C]hasing the attacks back to their sources has been difficult because the group has taken steps to hide their path. 'They like to hack innocent servers and then use them as command and control structures,' using the compromised systems to help shield the hackers' true location, said [Juan] Guerrero [a senior security researcher at Kaspersky Lab]."
  • "[T]he researchers say [the Lazarus Group] is a formidable digital opponent. 'We have a very clear group or organization that is extremely well-organized, well-motivated, and has a continued trajectory and interest in a specific type and area or region of attack," said [Andre] Ludwig [a senior technical director at Novetta]."
Data Breach, General News

Hospital pays (reduced) ransom

The cyber-attack involving Hollywood Presbyterian Medical Center in Los Angeles came to a quick end. The hospital had been the victim of a cyber-attack that shut down the its network. Hackers found a way into the hospital’s system, then used a type of malware known as ransomware to disable the hospital’s computer systems. Initial reports indicated that the hackers demanded upwards of $3.6 million to get the systems back up and running. The hospital’s president and CEO, Allen Stefanek, however, issued a letter stating that the hospital ended up paying about $17,000. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” he said. 

These kinds of attacks are not new or even unique to hospitals, but they are on the rise. The hospital’s situation, along with the increase in frequency of cyber-attacks, highlights the need to take steps on the front end to prevent these kinds of attacks and to have a plan in place in the event that such an attack does occur. Recognizing that preventing all attacks is unrealistic, most organizations are well advised to create redundant data stores so that operations can continue if the primary data store is held hostage. Other suggestions from the FBI can be found here.

Data Breach, General News

President Obama takes additional action on cybersecurity

On February 9, President Obama has signaled his — and Washington’s — increasing focus on cybersecurity; his 2017 budget proposal included $19 billion directed toward cybersecurity-related issues. In addition to this budget proposal, the president issued an executive order creating two new cybersecurity initiatives: the Commission on Enhancing National Cybersecurity and the Federal Privacy Council. The commission will be comprised of leaders in public and private sector commerce and law enforcement and is set to make recommendations to the president by December 1, 2016, on improving online security in America. The Federal Privacy Council includes the lead privacy officials at 25 federal agencies and is charged with coordinating the protection of government data.  The president also indicated plans to establish a Chief Information Security Officer position at the federal level. (More information regarding these efforts can be found here and here.)

Legislation

Congressional action on cybersecurity may ramp up by spring

Congress is actively working to tighten cybersecurity regulations in 2016. A recent article from The Hill quotes Representative Randy Neugebauer (R-Texas) as saying he's hoping Congress will pass data breach security legislation by the spring. 

"It's important to the (financial services) industry, (and) it's important to the American people to be assured their data is secured," Neugebauer told The Hill.

At issue is whether there will be one bill or two. 

In December, the House Financial Services Committee advanced a bill introduced by Neugebauer that would "set nationwide data security standards and require businesses to notify customers following a breach." The Energy and Commerce Committee then introduced a competing bill, and Republicans and Democrats are now arguing over whether the future federal law would supersede state data security regulations. 

Rep. Neugebauer’s bill, if it comes to fruition, would be a big deal. As we’ve written about in the past, there’s currently a patchwork of regulations that vary state-by-state to govern notification standards in the event of a breach. Having one standard would simplify the law and, in theory, be easier and cheaper for businesses to manage. On the other side, smaller retailers disagree. They argue that Neugebauer's bill would be too burdensome for modest businesses and would allow other companies to avoid regulation altogether.

Legislation

Cybersecurity predictions for 2016

Keeping up on what is happening with cybersecurity can be a challenge as security issues and advancements are constantly changing. Preparing for the future by anticipating what is to come is a smart strategy for 2016 planning. USA TodayColumbus Business First and The Huffington Post provide some noteworthy forecasts for what is to come in the world of cybersecurity this year. Read more

General News, Prevention