• Cyber-security
  • There’s a comprehensive cyber-security manual from KnowBe4

    Cyber-security firms regularly release short cyber-security white papers dealing with a single theme. Now, there’s an updated, big-scale, 221-page manual, and it’s free.

    Cyberheist 2018 fromKnowBe4 extends across cyber-security’s wide range. Written by Stu Sjouwerman, Sunbelt Software co-founder and anti-spyware specialist, and a supporting team, Cyberheist’s 19 chapters provides Africa’s eHealth programmes with a comprehensive view of their cyber-security requirements. While there’s an emphasis on commercial and business activities, such as banking, retailer and ePayment scams, cyber-security principles in these chapters are relevant for eHealth. 

    Cyberheist deals with:

    What drives cybercrime?How and why scams survive, thrive, and succeedTypes and methods of attacksPhishing explored and explained Phishing variations: smishing and vishingTargeted scams, including spear phishing, whalingUnderstanding cyber-crime losses and exposureScary cyber-crime reports and statisticsBank scamsCredit card and ePayment scamsMortgage rescue scamsAutomated clearing house scamsRetailer scamsSocial networking scams Safe computing fundamentalsSyncing security policies, user training and monitoringSecurity technology to protect people and assetsManaging online banking securityFostering cyber-security awareness. 

    It has two main goals. One is to help organisations recognise the increasing danger that they, and individuals, face when they use the Internet. The other’s to enable organisations to take proactive measures to protect them from cyber-threats. After reading Cyberheist, strategies and techniques are needed for protection. These should be core to Africa’s eHealth strategies.

  • KnowBe4 updates its ransomware rescue manual

    Cyber-security companies have to keep up with cyber-criminal’s expanding ingenuity. KnowBe4, a cyber-security firm, does it to keep users up to speed. It’s overhauled its Ransomware Hostage Manual What You Need to Know To Prepareand Recover from a Ransomware Attack, available from Health IT Security. It reflects the increasing professionalism of cyber-crime activity over the last five years or so. It deals with:

    What’s ransomware?

    RansomwareBitcoin and cryptocurrencyCryptominingThe Onion Router (TOR)

    Am I infected?

    SymptomsInfection vectors

    I’m infected, now what?

    Disconnect!Determine the scopeWhat strain of ransomware?Evaluate your responses: restore, decrypt, do nothing

    Negotiate or pay the ransom

    First response: restore from backup or shadow volumeSecond response: try to decryptThird response: do nothing and lose filesFourth response: negotiate or pay the ransomRansomware attack response checklist

    Protecting yourself in the future

    Defence in depthSecurity awareness trainingSimulated attacksAntivirus, antispam and firewallsBackups

    Resources

    Ransomware attack response checklistRansomware prevention Checklist.

    KnowBe4’s checklist’s for dealing with a cyber-attack’s extensive.  It’s in two parts, actions and resources. The main headings are: 

    STEP 1: disconnect everything

    STEP 2: determine the infection’s scope and check the of encryption signs

    STEP 3: determine the ransomware strain

    STEP 4: determine the response

    Response 1: restore files from backupResponse 2: try to decryptResponse 3: do nothing and lose filesResponse 4: negotiate or pay the ransom

    STEP 5: protecting yourself in the future

    Resources

    Users are the first line of defenceSoftware’s the second lineBackups are third

    For cryptomining attacks:

    Train users to avoid downloading it or exploit kits in the first placeIdentify a baseline performance metric for computers and  servers and monitor and alert excessive utilisationInstruct users to report significant system slowdowns or strange behaviourEnsure endpoint protection’s updated frequentlyConfigure web filtering to update frequently and block outgoing firewall traffic to suspicious IP addresses and Command and Control (C2) networks.

    With users as the first line of defence, effective cyber-security training’s essential. It’s been said before, so sustained users awareness and training should already be in place. It is?

  • What GDPR means for African countries

    If you struggled to access your favourite news site this morning, due to pop-ups insisting that you refresh your privacy settings, you are not alone. And the site is invariably based in the European Union (EU), or doing business with individuals in the EU.

    Today is GDPR Day. The General Data Protection Regulation (GDPR) is a regulation created in EU law to protect the privacy of individuals’ data. It applies to data of all individuals in the EU, whether that data is used within the EU, or anywhere else in the world. It comes into force today, May 25 2018.

    GDPR brings in sweeping changes to how businesses and public sector organisations can handle information. Under the new rules, permission is required before any personal data can be used and how long it is kept is now closely controlled. Anyone can ask a company to delete their personal information too. Read the statement from the European Commission and its links to resources.

    “Personal data is the gold of the 21st century. And we leave our data basically at every step we take, especially in the digital world. When it comes to personal data today, people are naked in an aquarium" said Vera Jourová, Commissioner for Justice, Consumers and Gender Equality.

    The GDPR sets out key principles:

    Lawfulness, fairness and transparencyPurpose limitationData minimisationAccuracyStorage limitationIntegrity and confidentiality (security)Accountability

    The accountability principle requires those who use data to take responsibility for complying with the principles, and to have appropriate processes and records in place to demonstrate that compliance, including appropriate technical and organisational measures to ensure accountability. Regular testing and reviews are required to make certain that the measures remain effective, or to guide remedial action id required.

    These principles form the building blocks of the legislation. Compliance with the spirit of the principles is regarded as critical for good data protection practice. Even though the principles to don’t include fixed rules, penalties for ignoring them are substantial. Failure to comply with the basic principles are subject to fines of up to €20 million, or 4% of total worldwide annual turnover, whichever is higher.

    Individuals have:The right to be informedThe right of accessThe right to rectificationThe right to erasureThe right to restrict processingThe right to data portabilityThe right to objectRights in relation to automated decision making and profiling.

    The GDPR introduces a duty on all organisations to report certain types of personal data breach within 72 hours of becoming aware of the breach, and if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, companies must also inform those individuals without undue delay. This requires that robust breach detection, investigation and internal reporting procedures are place to facilitate detection and decision-making.

    Close Circuit Television (CCTV) falls under the GDPR too.

    The UK Information Commissioners Office has extensive guidance. Many companies, such as IBM and Oracle, offer guidance too.

    While the GDPR does not apply to African countries directly, many African businesses will already be affected, due to their business relationships with the EU or its people. Whether you're affected yet or not, GDPR provides a best-practice model for incorporating into business practices and regulatory strengthening.

    African countries' regulatory strengthening is well underway. South Africa's Protection of Personal Information "POPI" Act is one example and provides many components of the GDPR.

    First steps towards compliance could be to:

    Brush up your cyber-security policy, andImplement a privacy management framework to help embed accountability measures and create a culture of privacy across your organisation.

    The commissions’ seven steps for businesses provide pointers too. They are:Check the personal data you review and process, the purpose for which you do it, and on what legal basisInform your customers, employees and other individuals when you collect their personal dataKeep the personal data for only as long as necessarySecure the personal data you are processingKeep documentation on your data processing activitiesMake sure your sub-contractors follow the same rulesConsider additional provisions, such as :Organisations might have to appoint a Data Protection Officer, particularly if processing of personal data is a core part of your businessData Protection Impact Assessment Such an impact assessment is reserved for those that pose more risk to personal data, for instance they do a large-scale monitoring of a publicly accessible area, including video-surveillance.

    In the meantime, dealing with your privacy preference update requests will ensure that data protection remains in the forefront of your mind, at least for today. Happy GDPR Day.

    -------------------------

    Image from this tweet by @EU_Commission

  • AI is also attractive for cyber-criminals

    As healthcare increases investment on eHealth projects and services, there should be synchronous investment in security measures.  In 2017, 25% of all data breaches were related to the healthcare industry.  This is because cyber-criminals have been working to make their attacks more advanced to easily target connected devices, cloud, and multi-cloud environments.  These advanced cyber-attacks are even able to evade detection by most legacy security solutions in place. 

    Advancements are aided by adopting AI and machine learning to carry out complex attacks at a rapid pace. Botnets such as Reaper have been made more sophisticated, enabling them to target multiple vulnerabilities at once.  Others, such as polymorphic malware allows for hundreds of variations of a threat to be created for different purposes in a matter of hours. 

    To address these challenges, Fortinet has recently released a few product enhancements that will tip the scales back in the favour of the healthcare industry;

    Fort iOS 6.0 – provides an integrated security architecture that spans the distributed networkFortiGuard AI – is an AI solution that is able to address automated attacksThreat Intelligence Services (TIS) - provides visibility into network activity and metrics to give healthcare security teams an understanding of their threat landscape 

    It has become inexpensive for criminals to mount attacks on healthcare data, but increasingly expensive for their targets. One key to the healthcare security transformation is flipping this paradigm.

  • AlienVault insider’s guide to cyber-security incident response can help

    Preventing cyber-security breaches is a top priority. On its own, it’s not enough. Cyber-criminals are at least one step ahead, so sound preparation for an incident response’s vital.  A book from Alien Vault can help. It's an Insider’s Guide to Incident Response in one eBook! 

    It provides a detailed insight into the fundamental strategies of efficient and effective incident response that security teams need. The goal should be to do more with less to deal with the rapidly changing cyber-threats. The guide deals with: 

    Arming and aiming an incident response teamIncident response processes and proceduresTypes of cyber-security incidentsIncident response toolsIncident response training

    Combating cyber-threats needs teams with a strong mental constitution.  Techniques are needed too. The guide sets out how to build an incident response plan and develop a team that has the right tools and training.

    Observe, Orient, Decide and Act (OODA) loop’s the core methodology.  It’s a cycle developed by military strategist and United States Air Force Colonel John Boyd. He used it to help to prepare for combat operations processes. It’s now applied to understand commercial activities. 

    Benjamin Franklin, the 18th century polymath promoted the original concept. “By failing to prepare, you are preparing to fail.” It applies to eHealth too.

  • Cyber-security projects reveal priorities

    As cyber-security activities step up, Barkly shows how their priorities can indicate strategies that organisations can adopt. 

    Its report identifies twelve cyber-security investment in relative priority order. They’re: 

    Endpoint security using advanced malware protection and prevention, the top priorityAccess and authorisationEndpoint protection using response and threat huntingCyber-security intelligenceData protection using encryptionApplication securityNetwork traffic visibilityWireless securityIncident response toolsBring Your Own Devices(BYOD) securityEmbedded security in IoTDistributed Denial of Service (DDOS) protection, the lowest priority. 

    Alongside these initiatives, cyber-security teams are researching and evaluation cyber-security tools. It’s an activity that needs considerable cyber-security skills and resources. For Africa’s eHealth, it means two initiatives are needed, one to recruit, train and retain experts, and provide additional resources needed by them to fulfil their role. 

  • Healthcare enters the blockchain ecosystem

    Over the last few years, healthcare has seen a record number of security breaches involving healthcare data.  This has prompted several start-ups to realise the work that needs to be done on the cyber-security front to make healthcare data secure.  Blockchain offers one potential solution to this challenge. Other solutions offered by blockchain include interoperability and the ability to connect data silos for more seamless systems and improved patient safety.

    SimplyVital Health is one of those start-ups experimenting with blockchain technology to give the healthcare industry a facelift. The company has developed a decentralised open-source protocol that will enable frictional-less sharing of healthcare data.  Their Health Nexus is a public-permissioned blockchain. It provides a platform to build advanced healthcare applications while maintaining the privacy and security required in the healthcare industry. 

    The developer tools on the Health Nexus are open source and available for free.  Members are able to build and deploy distributed apps utilising the blockchain protocol for transactions, identity and smart contracts, and a distributed hash table (DHT) for data storage, managed by a governance system. This will allow developers to create valuable solutions for pharmacies, healthcare providers, insurers, clinical researchers or patients.  

    Blockchain is certainly paving opportunities for new business models in healthcare.  The trajectory it will follow in the coming years, however, is an unmapped terrain waiting to be explored.  The road ahead for blockchain and healthcare will also require substantial intra-industry cooperation as well as dialogues between the public and private sectors regarding standards and regulatory frameworks.

     

  • Cisco’s umbrella can help deal with cyber-attacks

    Simple, open, automated and effective: these are the four cornerstones of Cisco Umbrella set out in its solution brief. Cisco sees its value in dealing with the complexity, range and reach of eHealth services. It’s continuously expanding, along with its cyber-security requirements and gaps. Available from Health IT Security, the brief sets out its functions as: 

    Covering gaps without any hardware to install or software to manually updateProtecting any device and every port without configuration changes or latencyExtending existing protection and incident response data through integrationsProtecting all devices, locations, and users on and off networksPredicting threats before they happen by learning where attacks are stagedBlocking malicious domains and IPs before connections are establishedStopping threats before they reach networks and endpointsIdentifying infected devices faster and preventing data exfiltration.

    Cisco recognises that cyber-security isn’t an absolute, 100% state. Its goals are to maximise prevention and achieve early, effective responses to cyber-attacks.  This is realistic, and offers an option for Africa’s eHealth.

  • Some employees can be a cyber-security threat

    Uncomfortable as it may be, Imperva says employees are the greatest cyber-security risk. They may be careless, become compromised or have malicious intent, and their trusted access to data can expose organisations. 

    An Imperva blog proposes the action needed to minimise the risk.7 Steps to Protect Your Data From Insider Threats are: 

    Discover and classify sensitive dataMonitor all user access to dataDefine and enforce organisational policiesLeverage advances in artificial intelligence detectUse interactive analytics tools to investigate security incidentsQuarantine risky usersGenerate reports to document security events.

    These aren’t proposed as absolute solutions. Imperva offers them as a guide to help detect and contain insider threats. Perhaps the most modern feature’s using machine learning to uncover unknown threats. It can sift through massive amounts of detailed data access logs so security teams can establish behavioural baselines of users’ access to data and rapidly identify changes, inappropriate or abusive data access. Drilling down’s more manageable. 

    The seven steps provide a framework for Africa’s eHealth cyber-security. Applying them needs resources, especially skilled people to manage and operate the process.

  • India’s patient and personal information data's been hacked

    Wide-ranging, Interoperable (IOp) eHealth depends on effective, secure Unique Patient Identifiers (UPI). India’s extending Aadhaar, its national identity number, as the UPI for healthcare. The Tribune has a report saying it’s been hacked. Rs 500, 10 minutes, and you have access to billion Aadhaar details refers to the Unique Identification Authority of India (UIDAI), responsible for Aadhaar, claim in November that Aadhaar data for over a billion people’s fully safe and secure and there has been no data leak or breach.

    A Tribune employee paid Rs500, about US$8, for a service offered by anonymous sellers to provide unrestricted access to details for Aadhaar numbers. Contact was made over WhatsApp, and took ten minutes to complete. Data provided included a login ID and password for access to any Aadhaar number in the portal and access the data that individuals have submitted, including name, address, postal code, photo, phone number and email address. Another Rs300, almost US$5, bought software that can facilitate Aadhaar card printing by entering an Aadhaar number of any individual.

    The Tribune says IDAI officials in Chandigarh were shocked at the revelations. It’s classified as a major national security breach. It seems the breach was some six months ago. Anonymous groups were created on WhatsApp. They targeted over three unemployed Village-Level Enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS). 

    CSCS operators produced Aadhaar cards. They lost their jobs when the service was restricted to post offices and designated banks to avoid security breaches. Initial illegal Aadhaar access was used to print and sell Aadhaar cards to low income villagers. Cyber-criminals have expanded the service.

    There are several lessons for Africa’s planned UPIs. Cyber-security should never be seen as safe. It required constant vigilance. Changes in personnel and providers always need corresponding changes in access rights and monitoring. These should be part of a rigorous cyber-security strategy.