Contact Tracing Apps
My team asked in this week’s meeting for some guidance on the release of the contact tracing apps. If they want to know something we usually get to talk about it on here assuming that others may be pondering the same things.
My answer was not a fan. I did some research on the apps and once I read this article – COVID-19 Contact Tracing Apps Spotlight Privacy, Security Rights – I didn’t need to dig much further. There are too many gaps in the process when you consider the amount of data they will be accumulating.
Yet another HIPPPAAA in the wild with a confusing message
Oh and another misuse of HIPAA
This one popped up out of all the “Karen” memes when a lady used HIPAA as a reason she should get into a store without a mask due to her medical condition that HIPAA did not require her to divulge..
I have a medical condition that says I am not allowed to wear a mask and I am not required under HIPAA rules and regulations to disclose that.
2020 Data breach stats good news and not so good news
Another important alert from CISA about home routers. If you aren’t worrying about these things and have folks working at home you are just cruisin for a bruisin. https://www.us-cert.gov/ncas/current-activity/2020/06/29/netgear-router-vulnerabilities
Verizon DBIR 2020
Great quote on the introduction of the 2020 Verizon DBIR. It points on something we have said for years but in a much more succinct way.Experience is merely the name men gave to their mistakes.
—Oscar Wilde, The Picture of Dorian Gray
The team that does this report each year, this the 13th, are true data geeks. It is fascinating to read if you really like statistics and data analytics. This year, they evaluated a total of 157,525 incidents which is more than ever before. Of those incidents, 32,002 met their standards to be included in the data and of those 3,950 were confirmed data breaches. That is a lot of data from across industries and continents to evaluate and compare.
They really stepped things up this year because they are aligning to the CIS 20 and narrowing down specific information on the activity within each of the 16 verticals.
Overall Data Breach Summaries
Info that looks at all industries and all countries let us have that benchmark to compare healthcare’s numbers. Keep in mind that some of these stats reflect that the same event can so up in multiple numbers. That messes with me sometimes because I want it to be exactly 100 when I add things up.
Good news is 89% of the breaches used 3 different tactics. Hacking 45% followed by “Errors were casual events” and Social attacks both at 22%. When you add in that 17% is malware you cover the vast majority of the attack methods. In theory that gives us 4 things to worry about but we know that isn’t even close to what we should be worried about.
Perpetrators also primarily across three groups. 70% “External actors”, 55% organized crime followed by 30% internal actors. That last but isn’t so good at all. This on particularly shows how the numbers don’t add up to 100 because it can involve
Here are some other key points:
81% were contained in days or less once they were found
58% included personal data compromises
86% financially motivated
72% large businesses
28% small businesses
37% used stolen credentials
27% of all malware was Ransomware (keep in mind they don’t see ransomware as a data breach all of the time like we now need to do in healthcare)
22% of all breaches involved Phishing
Insiders vs Insiders
Some of their assessments of the information I kind of disagree with just because they look at it differently than we do.
Nevertheless, it is a widely held opinion that insiders are the biggest threat to an organization’s security, but one that we believe to be erroneous. Admittedly, there is a distinct rise in internal actors in the dataset these past few years, but that is more likely to be an artifact of increased reporting of internal errors rather than evidence of actual malice from internal actors.
They see the data as if the only time they worry about insiders is if they are actually being malicious actors. We see insider issues can be any of three types: Malicious, Intentional Non-Malicious, Negligent. They only count one of those categories in their stats. They point out that financial attacks by outsiders is the number one thing they find. Fair enough if you don’t count the ways that insiders let them in as part of the problem.
For those who insist they don’t need to secure things because they have nothing important
Yet again, they make it very clear that your systems and access is just as valuable to them as money.
When we look at criminal forums and underground data, 5% refer to a “service.” That service could be any number of things including hacking, ransomware, Distributed Denial of Service (DDoS), spam, proxy, credit card crime-related or other illicit activities. Worse still, that “service” may just be hosted on your hardware. The simple fact is this:
If you leave your internet-facing assets so unsecured that taking them over can be automated, the attackers will transform your infrastructure into a multi-tenant environment.
The services criminals provide to attack others could be hosted on your equipment with automated attacks that find the device, load the services and start attacking others within minutes if not seconds. That is why they see the motive behind the attacks more likely start as financial. Once they get whatever they can there they shift to a secondary reason they can use their infiltration into your network or devices.
Who are these financial attackers we speak of? How about organized crime. Just as we have been discussing for over a year now, this is no longer a bunch of people in the dark in a hoodie. If that is what you still picture as a “hacker” it is like imagining what you would think if you see someone walking down the street using an old flip phone. Not the new ones, one of the old ones that were cool in 2006.
How is healthcare
Their summary:Financially motivated criminal groups continue to target this industry via ransomware attacks. Lost and stolen assets also remain a problem in our incident dataset. Basic human error is alive and well in this vertical. Misdelivery grabbed the top spot among Error action types, while internal Misuse has decreased.Verizon 2020 Data Breach Investigations Report – Healthcare summary
Keep in mind that they classify data breaches in these lists using their standards not the OCR standards. That means that many cases that they consider not a data breach
Good news! Healthcare Insider issues have finally gone down but they won’t commit to saying it is a pattern. It went from 23% to 8.7% which is great. But, they were not quite sure if this is just a blip. So we’re not committed to saying it is officially an improvement.
The last little bit that they included about health care is more of the scary fun stuff. they’re talking about the time required to compromise and exfiltrate data has been getting smaller overall in the data set. But the time for an organization to notice that they’ve been breached isn’t keeping pace. That is the root issue we must all worry about these days. Every trend we are seeing involves less of the automated malware attacks that don’t involve infiltrating your network and more of infiltrating your network.Go to top
We all know the world we live in right now is pretty chaotic and people are doing really unexpected things which we call crazy here. With financial gain as the primary objective, the economies of the world experiencing declines due to the virus, the virus pushing us into uncharted territory are just throwing in more fuel for fires to be burning inside your networks and systems. Find a way to take action now to check your security or the ability to get things done could get much harder and more complicated overnight.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!