The Internet of Things Security: Hacking Healthcare

The Internet of Things Security: Hacking Healthcare

One of the greatest technological achievements to date by far is the creation of the Internet. Not only did its emergence shake the entire world, effectively changing almost every aspect of our lives, but it has connected us all not only as a nation, but as a globe. Starting out with computers the size of walls and evolving to the laptops and smartphones of today, the Internet has become involved in more things than most had ever imagined. The most recent and rapidly-expanding Internet-related development is what is known as the Internet of Things.

The Internet of Things (IoT) is a term coined in 1999 by Kevin Ashton, executive director of the Auto-ID Center, that is used today to describe the network of physical devices which are embedded with technology that enables them to collect and exchange data via the Internet. Devices connected through IoT are commonly referred to as “smart devices” or “connected devices,” and they include a wide-range of numerous items, ranging from baby monitors, to cars, to kitchen appliances, and even light bulbs. Anything connected to the Internet falls under this broad category of the Internet of Things, so it is safe to say that IoT affects more areas of our lives than we may have once thought.

While it is an incredible feat that so many different and unique things are now connected via the Internet, IoT can also be an incredibly dangerous thing.

IoT Vulnerabilities, Real World Threats

As we have come to know all too well, when it comes to the Internet, anything that can be hacked, will be hacked. And while it may be an inconvenience to have your favorite social media site shut down because of a cyber-attack, or a major setback for a company’s image if they experience a data breach caused by phishing, IoT threats are different because they can have real-life, physical repercussions–a far greater and more lethal risk than any other cyber-threat.

Last year, hackers were able to remotely hack into a Jeep Cherokee’s Wi-Fi-enabled entertainment system, giving them access to the entire car–including its dashboard functions, brakes, and the car’s transmission. From across the country, these hackers were able to play with the car’s various features including the air conditioning and sound systems, and then suddenly, these hackers were able to cut the car’s transmission as it was going 70 mph down a major highway. While these ‘hackers’ were actually just researchers, Charlie Miller and Chris Valasek, testing their car-hacking research on a well-aware driver, the thought that in a similar situation, the Internet of Things could possibly be used by malicious actors to hurt or even kill a driver or other unsuspecting victims is terrifying to say the least.

IoT threats in the Healthcare Industry

Car hacking is not the only real-world, physical threat driven by IoT, as the healthcare industry has found a few IoT-related vulnerabilities of its own.

As more and more modern medical devices are being developed, they are adding to the collection of connected devices encompassed by IoT; however, many healthcare professionals have found that with these more advanced devices, comes more advanced cyber-threats as well.

One of the most recent and notable of these is the threat to Johnson & Johnson’s Animas One Touch Ping insulin pump. This insulin pump is special in that it is equipped with a remote control so that users do not need to remove their clothing to give themselves a dose of insulin. The problem with this is that the wireless connection between the remote and the pump is unencrypted, and consequently, highly vulnerable. Because of this, the pump can be hacked within a 25-foot radius of the user, and with the right radio equipment, a hacker can take control of the pump and trigger unauthorized insulin injections.

Not only does this threaten a specific device, but in some cases, it gives hackers access to the entire hospitals’ system. Similar to the car hacking instance, this not only poses immediate cyber-threats, but it could have deadly repercussions, as different diabetes patients need varying levels of insulin at different times. A malicious person could hack into these insecure devices and literally kill someone, so it is time that the healthcare industry started taking medical device IoT security more seriously.

IoT Security Tips for Healthcare

The IoT threats detailed above were caused primarily through security issues. The issue? There were no security defenses put in place to protect against any sort of attack. This is a serious problem and though it will take further research to make IoT security air-tight, a few tips to help enhance healthcare security for IoT medical devices include:

  • Conducting a secure boot–A secure boot is making sure that when a device is turned on, none of its configurations have been modified. This step helps to ensure that no tampering took places while the device was not in use.
  • Utilizing encryption–As we saw with the Johnson & Johnson insulin pump, a lack of encryption left patients lives literally in the hands of hackers. Encryption is an essential step that makes it that much harder for cyber-criminals to attack.
  • Implement authentication for devices–If authentication is used, device access is limited and device-to-device communication undergoes intense scrutiny. This makes it more difficult for a security flaw to go unnoticed.
  • Educate patients and staff–Though it affects such a huge portion of our lives, 87% of people have not even heard the term ‘Internet of Things.’ Education is really the greatest tool we have in our arsenal, so it is important to inform patients and staff of the very real risks of IoT security.

Security threats such as these make the Internet of Things seem like a terrible thing, but this advancement in technology is an excellent way to keep us all connected through items we would have never thought possible. Though this may be the case, it is important for these devices to be well-secured so that we can truly enjoy our connectivity.

Hailey R. Carlson | Axiom Cyber Solutions | 10/28/2016

Image Source

Password Security: The Most Basic and Essential Cybersecurity Defense

Password Security: The Most Basic and Essential Cybersecurity Defense

National Cyber Security Awareness Month (NCSAM) is being recognized for the thirteenth year in a row this October, and with this anniversary comes the reminder that enhanced cybersecurity defenses are necessary for everyone from large, multinational corporations all the way down to families and individuals. The overall theme of the month is that cybersecurity is our shared responsibilitymeaning that it is not just the duty of IT professionals or CEOs to be cyber aware, but it is all of our collective obligation to act as a cohesive unit in the fight against cyber crime.

Many people become overwhelmed with the amount of information they are supposed to remember surrounding cybersecurity–“don’t click on this type of link,” “watch out for this sign of malware,” and so many more–but these issues cannot even begin to be addressed until we refine the most basic and essential cybersecurity measure of them all: strong password security. 

At this point in our technological age, everyone is well aware of passwords being of significant importance when it comes to safety and security on the Internet; though most may agree with this sentiment in theory, many are not implementing this idea in practice, despite being well-aware of the consequences.

The Myspace data breach from earlier this year left 360 million accounts’ passwords exposed on the Internet. Despite this massive amount of personal information now out there in the open, many people did not feel the same way about this breach as they might a breach of another website, primarily due to the fact that they had not visited the site since the prominence of Facebook and Twitter came about. Though many people may not have accessed that site in quite some time, some still use their Myspace password or one similar to it as passwords for other websites. Consequently, these dormant accounts with poorly secured passwords have left people vulnerable to a plethora of other attacks. Password security is an area of cybersecurity that needs to be taken much more seriously in order to avoid these types of threats.

Secure Password Tips

The average person today has a whopping 22 passwords just for their professional data, and that does not even include their personal information like social media and private email accounts. ‘Password hygiene’ is the active implementation of password security best practices and some tips to make keep your password hygiene squeaky clean include:

  • Do not use the same password for different accounts–Three-quarters of consumers use ‘repeat passwords’ across multiple platforms. When they do this, if one account is compromised, they leave all other accounts protected by the same password exposed to further attack.
  • Change your passwords often–By leaving passwords stagnant rather than changing them regularly, it is that much easier for hackers and other cyber criminals to guess your password and give them access to your personal information. Forty-seven percent of people are securing their financial accounts online with passwords that have not been changed in five years, and this is extremely dangerous. In addition to changing your own passwords often for both professional and personal accounts, it is important for employers to avoid using default passwords when setting up accounts for new employees. Default passwords give criminals an open, unsecured door into your entire enterprise.
  • Never give out your password to anyone–When you share your password with even one other person, you are exposing your accounts that much further to cyber criminals. By being solely responsible for your own data, you can contribute to the NCSAM philosophy of security being our shared responsibility by being personally accountable for your own data.
  • Do not use easy to guess words or phrases in your password–Though you may sincerely love your dog or favorite band, it is important to be aware of what information people know about you that they can use to guess your password. Though you should not blatantly use ‘dictionary words,’ this idea can be a good jumping off point for coming up with more complex passwords. One way to do this is by being liberal about character substitutions, such as replacing “o” with “0,” “e” with “3,” or “i” with !.”
  • When possible, utilize sites’ multi-factor authentication–Most websites now use two-factor authentication where there is not only a password used to protect your account, but also a one time code you enter in to verify your identity. This simple step takes a few minutes at most and can make a huge difference in your personal cybersecurity defense.
  • Use a password manager to make remembering passwords simple–A big complaint by most of us is that there are just so many passwords to remember across the different areas of our lives, and it can be very difficult to remember all of these when they are also meant to be intricate and hard for hackers to guess. One way to ease this burden is by utilizing a password manager. A password manager is generally a free database that you can download to your computer (often coupled with a smartphone application option) where you can store all of your passwords. When this is used, you only have to remember one complex password rather than your entire catalog of password information.

One of the biggest fallacies people believe surrounding cyber crime is “It won’t happen to me,” when in reality, it is likely that this will not be the case. A major philosophy of many cyber experts is that it is not a matter of if we will all be attacked online, but when. While this is a rather daunting thought, there are ways which we can lessen these chances, the most basic of which being securing our passwords. By coming together and taking this small step, we can be more accountable for our presence online as a whole, sharing the struggle of cybersecurity as our shared responsibility.

Hailey R. Carlson | Axiom Cyber Solutions | 10/21/2016

Image Source

Cybersecurity Fatigue: Overwhelmed by Online Security Issues

Cybersecurity Fatigue: Overwhelmed by Online Security Issues

No matter what side of the political fence you fall on, you are probably exhausted by now with the constant 24-hour a day news cycle bombarding us all with ads for politicians on both the local and national scale. While this is a fairly common occurrence, as we experience this feeling every few years, many people are feeling a similar weariness which has not been seen before when it comes to cybersecurity.

A new study published by the National Institute of Standards and Technology in partnership with the Institute of Electrical and Electronics Engineers has found that over 94% of people between the ages of 20 to 60 years old feel “overwhelmed and bombarded, and tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.” This exhaustion leads to many people flat out ignoring security warnings, while others tend to grow worn out by security updates and the ever-expanding grocery list of passwords which they must remember. These experiences of high levels of fatigue coupled with many of the respondents’ claims of not knowing anyone who has been attacked and being skeptical of an attack on themselves as well, leads to people throwing security and safety measures out the window, putting themselves and the companies they work for in danger of attack.

What websites can do to ease security fatigue

While many times it is recommended that users do something to combat security issues and cyber-crimes, this is exactly what is leading to their fatigue. Because of this, the study says websites and online services needed to do a better job of coordinating how they approach security to lighten the load on users. A few ways which they can achieve this are by:

  1. Limiting the number of security decisions users need to make
  2. Making it simple for users to choose the right security action
  3. Designing for consistent decision making whenever possible

These are some of the best ways we can combat security fatigue at the source, but one of the biggest issues raised from the study not resolved by these steps is that of password security.

Password security fatigue, solved

Many people in the study claimed that not only having to have different, intricate, and long passwords for each site was stressful, but trying to remember them all actually made them simply resort to the poor practice of using the same one for all sites. The average number of passwords per person today is 22 compared to just one not that many years ago, so it is easy to see how people can get overwhelmed when it comes to password security. The study says that you are not supposed to remember all of your passwords, however, rather you should use a computer password manager which can store everything for you and even generate new, complex passwords, saving you even more time. With this, you only need to remember one password and then you have access to all others. KeePass is just one of the many password managers out there that is free, easy-to-install, and gets the job done. By simplifying password security, we can ease the stress put on ourselves by security fatigue.

What companies can do to ease security fatigue

In addition to websites and users, companies have a significant role when it comes to easing user security fatigue. There will continuously be a new variant of ransomware, a more intricate phishing scam, or some other threat posed to companies and their employees. With all of these threats imposing themselves on employees constantly, companies need to have clear, specific guidelines to show users what to do in the event they become exhausted by implementing cybersecurity best practices. By clearly going over what to do in various situations with set ‘plans of attack’, companies can prepare their employees by instilling good cybersecurity habits in them. “If safe behavior becomes habitual, then when we feel swamped by the craziness of the online world we will at least fall back into habits that have been designed to protect us, rather than put us at greater risk,” says the reports’ co-author Mary Theofanos.

Security fatigue in America is a real thing and it is a major threat to the future of cybersecurity. By websites, companies, and users coming together to try and ease this process, hopefully, we can make the online world a little more safe and a little less overwhelming.

Hailey R. Carlson | Axiom Cyber Solutions | 10/14/2016

Image Source

National Cyber Security Awareness Month: Our Shared Responsibility

National Cyber Security Awareness Month: Our Shared Responsibility

From data breaches affecting multi-million dollar corporations to ransomware targeted at the health-care industry to the real-life repercussions of insulin pump hacking, cybersecurity threats are everywhere. Emphasized by both the current President and both major political party nominees as well as the director of the FBI, it is apparent that cybersecurity is a serious concern for the nation.

Because of these impending threats, it is important for awareness of cybersecurity to be a nationwide occurrence. This October marks the thirteenth year of celebrating National Cyber Security Awareness Month (NCSAM). Created by the National Cyber Security Alliance (NCSA) in collaboration with the Department of Homeland Security’s National Cyber Security Division (NCSD), the observance of this month has grown both in popularity and in importance.

In addition to being the thirteenth year of the month’s observance, it is also the sixth year of the STOP. THINK. CONNECT. campaign. This campaign is a movement to promote simple cyber-awareness for all individuals which they can use every single time they access the Internet. The steps are quite clear:

STOP: make sure security measures are in place. THINK: about the consequences of your actions and behaviors online. CONNECT: and enjoy the Internet.

The STOP. THINK. CONNECT. campaign is the focus for the first week of National Cyber Security Awareness Month, with the subsequent weeks’ topics including harboring a cybersecurity culture in the workplace, recognizing and combating threats, examining the future of tech and IT security, as well as emphasizing the importance of critical infrastructure. While it is important for individuals to be cyber-aware, it is equally if not more important for businesses to know their risks as well.

All Businesses Need Cybersecurity

Different things come to people’s minds when they think about cybersecurity in relation to business. For some, they think of the statistics surrounding small-to-medium-sized businesses such as how 71% of cyber attacks target SMBs. For others, the data breaches of major corporations such as Target and Sony come to mind. In reality, all of these entities have a dire need for cybersecurity. There is no silver bullet when it comes to securing cyber defenses, however, so it is important for companies of all sizes to put in place multiple layers of protection against threats. Some key precautions that need to be implemented regardless of size or industry of a business include:

  1. Anti-virus Protection—Utilizing an anti-virus software is one of the most basic ways to protect a company’s computers and system. A strong anti-virus software is necessary in order to detect and remove viruses before they harm your system.
  2. Firewall ImplementationUse of a firewall helps secure your network from cyber attacks by preventing them from accessing your system in the first place. Though there are both software and hardware options when it comes to firewalls, for businesses, it is recommended that hardware firewalls, especially Next-Generation Firewalls, be used since these protect whole systems compared to their software cousins that only protect the individual computer on which they are installed.
  3. Network Monitoring—Network monitoring, be it performed internally or provided externally through a cybersecurity partner, is a crucial aspect of cybersecurity defense. This service notifies the network administrator of any oddities such as intrusion detection and overloaded servers, which can help them to fix these issues quickly. Simply setting up cybersecurity will not be enough, these defenses need to be monitored often so that a company knows where its weaknesses lie.
  4. Employee Education—While employees are often a company’s greatest asset, they can also be its greatest cybersecurity threat. Malicious actors do make up a large portion of the threat, however, a major, fixable component is a lack of employee knowledge. The easiest way to fix this is to have company-wide training on various cyber-threats including phishing, able to trick nearly a third of employees, as well as ransomware threats. These two cybercrimes are the most egregious according to the FBI and are increasingly becoming their focus in the fight against cybercriminals, so it is especially important to educate employees in these areas. By educating employees, a company can both strengthen their cybersecurity defenses, as well as empower their employees to be more accountable for their behavior online.

Our Shared Responsibility

The major theme with National Cyber Security Awareness Month is the idea of a collective accountability when it comes to cybersecurity defenses. We are all connected through the Internet, and because of this, the NCSA emphasizes that it is our shared responsibility to protect this shared resource. This sentiment cannot be better summarized than by the following quote,

No individual, business or government entity is solely responsible for securing the Internet. Everyone has a role in securing their part of cyberspace, including the devices and networks they use. Individual actions have a collective impact and when we use the Internet safely, we make it more secure for everyone. If each of us does our part—implementing stronger security practices, raising community awareness, educating young people or training employees—together we will be a digital society safer and more resistant from attacks and more resilient if an attack occurs.

If you would like to find out more about National Cyber Security Awareness Month, please visit https://staysafeonline.org/ncsam/ to learn more about how you can get involved. If you would like to enhance your own cybersecurity defenses, regardless of the size of your company, please contact Axiom Cyber Solutions to see how our managed cyber solutions can help you get and stay secure.

Hailey R. Carlson | Axiom Cyber Solutions | 10/07/2016

Image Source