11 months ago


privacy under siege CAN

privacy under siege CAN PRIVACY STILL BE PROTECTED? THE LATEST DEVASTATING NHS BREACH, PLUS THE WIKILEAKS’ REVELATIONS ON THE CIA'S HACKING METHODS, HAVE CAST A LONG SHADOW OVER THE RIGHT TO KEEP DATA SAFE AND SECURE In the largest leak of CIA documents, Wikileaks recently disclosed the tools that the agency allegedly uses to hack computers, phones and smart TVs around the world. The agency's apparent ability to compromise Apple and Android smartphones with ease is especially troubling, since spies can access private information through these devices, including photos, emails, texts and videos. Further, a program called Weeping Angel even uses Samsung smart TVs as secret listening devices that operate even when TV is turned off, recording the conversations and sending them on Internet to a covert CIA server. While it's understandable that governments do take advantage of the new technologies in their operations, it's also possible that newly disclosed CIA's hacking methods will cause more harm than benefit. The cyberweapons described include programs that crash a targeted computer or steal passwords, or malware that can record keystrokes on a mobile device without breaking encryption. VULNERABLE TO ATTACK "Since it seems that the government deliberately targets smart devices, it is possible their techniques might be exploited by criminals, hackers and also other governments," says Marty P. Kamden, CMO of NordVPN, a Virtual Private Network. "Our devices should be made safer, not more vulnerable." Unfortunately, the decline of digital freedom and government surveillance is not an isolated incident, but a rising trend. According to Freedom House, Internet freedom has been on decline for six straight years, and there's no sign of it stopping. Recently, there have been huge Internet liberty crackdowns around the world - such as the introduction of strict data retention laws (ie, in the UK, Poland etc) and laws attacking communications apps such as WhatsApp and Viber, as well as blocking certain social media sites. "These crackdowns on communications apps and social media sites goes hand-in-hand with attempts to limit citizen privacy and increase mass surveillance. For example, Americans fear that the new administration might 'erode cyber privacy', and the UK now has an unprecedented surveillance law that allows for mass hacking, among other things - which could lead to massive data breaches," according to NordVPN. The good news is that, even though the CIA can access and tinker with people's devices, encryption is out of reach even for government spies. It is highly recommended to use secure privacy tools, such as VPNs, which help hide the user's true location (IP address) and encrypt all the information that is being transferred through the Internet. Such a user becomes impossible to track. NordVPN points to how it helps anonymise browsing the Internet with its modern security protocols and no logs policy. WhatsApp, Signal and Telegram still remain encrypted communication apps, and, for safe emailing, there are such encrypted email service providers as ProtonMail. It is likely that CIA will not change its hacking policies and that everyone's privacy will be even more challenged in the future, the company comments. "The only solution for private citizens seems to be taking their online privacy into their own hands." NordVPN believes that, by taking the right precautions, people can still guard their privacy online. "In addition to using encryption and safe communication apps, Internet users need to be careful not to click on strange emailed links, not to download from unofficial app marketplaces, to always have strong 06 computing security May/June 2017 @CSMagAndAwards

privacy under siege passwords and to be generally cautious when sharing information online." HEATH WARNING All of which would have been excellent advice for the many NHS Trusts across the UK whose systems were so badly hacked recently (see also page 5). In light of the WannaCry ransomware cyber-attack - which hit more than 150 countries in total - a new report from SolarWinds MSP highlights what it describes as businesses' over-confidence in their cybersecurity defences. The report reveals that 87% of UK and US businesses consider their cybersecurity readiness as robust, despite 71% having reported breaches within the last 12 months. Some 77% of UK and US businesses also revealed that they had suffered a tangible loss as a result, such as monetary impact, operational downtime, legal actions or the loss of a customer or partner. While Microsoft was quick to announce a new software update to overcome the WannaCry attack, the SolarWinds MSP report shows that, by contrast, businesses are somewhat complacent when it comes to cybersecurity procedures, including in their response to a breach. In fact, for UK businesses, states the company: Only 43% of businesses implemented new security technology following a breach Only 29% enforce and audit security policies. The rest either only do so occasionally or without controls - or not at all Only 13% consider user training as a priority, with the rest reinforcing this at best once a year 23% have no mechanism in place for reporting vulnerabilities. SolarWinds MSP has also calculated that, based on the number of personally identifiable information typically held by SMBs and enterprises, the typical cost of a single data breach to a UK SMB is £59,000 and £724,000 to enterprises. PATCHING SYSTEMS While it's been universally acknowledged that there's very little hospitals can really do to prevent ransomware and other cyberattacks outright - due to user error and susceptibility to phishing attacks - there's been much conversation around mitigating these types of attacks by patching systems. "Patch early and patch often is good advice," comments Imprivata, "and should always be observed.” But adds the caveat that, when it comes to these types of cyberattacks, patching alone doesn't stop the problem. “It only stops the propagation of the malware." Why? Because the real source of the problem isn't the systems; it's the users who initially downloaded them onto their computers, it states. So, if you have to make the assumption that your systems are going to get compromised, how do you build resiliency around your users? How, as a healthcare industry, do we focus beyond keeping the bad guys out, to keeping our systems running? "First, and as part of a best-practices systems hardening approach, we've got to manage user-system privileges," advises Imprivata. "The majority of users in clinical settings have full admin rights to their systems. In many cases, admin access is necessary in order for users to access legacy applications. But, if a user can't control software or run software that's not vetted by IT, why should they have admin level privileges? It's too easy for a user in a rush to click on a link and download malware hidden in an attachment." The company says that it has learned from interactuion with its customers that anywhere from 8-28% of users will click on a malicious link in their email. "Phishing exercises and other methods of user education can be helpful tools to prevent user error, but to truly manage user vulnerability, hospital IT teams should adhere to the principle of least privilege," Imprivata cautions. "Take steps to limit admin rights or, at the very least, ensure that machines with admin access can be locked down or quarantined immediately, in the event of a cyber incident." @CSMagAndAwards May/June 2017 computing security 07