White-Hat Hackers Are Already Being Caught in the Cryptocurrency Regulation Net

Cryptocurrencies have long been associated with cyber crime. The cryptocurrency Bitcoin was the de facto currency of the notorious online black market Silk Road, it remains the preferred payment method on the Dark Net, and the majority of ransomware attacks, including WannaCry, demand payment in Bitcoin. As if cryptocurrency didn’t have enough of a bad rep, shortly after the WannaCry attacks, reports emerged of a new type of cyber attack that may pose an even larger threat than WannaCry: cryptocurrency mining malware, which turns machines into “zombies” to mine a Bitcoin competitor called Monero. It’s no wonder that critics are clamoring for government cryptocurrency regulation.

Cryptocurrencies, in and of themselves, are not nefarious. Many perfectly legitimate businesses accept payment in Bitcoin, and large Wall Street investment firms are betting on a bright future for cryptocurrencies. However, outside the realm of tech enthusiasts, small-government advocates, and cyber security experts, cryptocurrencies are still widely misunderstood – and primarily associated with criminal activity. Ever since Silk Road was taken down, cryptocurrency critics, claiming that the digital currencies are fueling ransomware attacks and other cyber crime, have been calling for governments to implement cryptocurrency regulation, and these calls have grown louder since the WannaCry attacks.

Due to the very nature of cryptocurrencies – unlike fiat currencies, they are not issued or overseen by any central authority – attempts at cryptocurrency regulation have been slow and scattered. Unfortunately, it also appears that they may be harming the “good guys” more than the criminals, as reported in a recent story by CoinDesk. White-hat hacker Vinny Troia found his account on U.S. Bitcoin exchange Coinbase suspended after the exchange flagged his account for engaging in what they considered to be illegal activity, namely, paying ransomware demands and purchasing data from the Dark Net. Problem is, Troia was doing these things on behalf of his clients. Sometimes, Troia told CoinDesk, the best way to find out if a client’s information has truly been compromised, or to determine the scope of a hack, is to buy the data sets in question. Further, while it’s generally advised not to pay ransomware demands, some victims feel that paying up is their best bet; Hollywood Presbyterian Medical Center thought so.

Bitcoin Experts Blame Offshore Cryptocurrency Exchanges

Bitcoin experts and other cryptocurrency enthusiasts, alarmed by experiences like Troia’s and fearing Draconian cryptocurrency regulation, recently told a U.S. House subcommittee that the bulk of the problem lies with unregulated, offshore cryptocurrency exchanges, not those based in the U.S. and Europe, which must already comply with anti-money laundering and “know your customer” laws. However, these exchanges often strategically set up shop in countries where local governments are happy to look the other way and not cooperate with U.S. authorities in exchange for kickbacks.

Another issue hampering cryptocurrency regulation is the rise of next-generation cryptocurrencies such as Monero. While Bitcoin transactions are technically anonymous, the anonymity only stretches so far; all Bitcoin addresses and transactions are recorded on the cryptocurrency’s blockchain, allowing security experts and law enforcement to use blockchain analytics to tie addresses and transactions with users. Monero, on the other hand, uses ring signatures and stealth addresses to provide real, total anonymity.

Proactive Cyber Security Is Still Your Best Bet

Not everyone is against government cryptocurrency regulation. Morgan Stanley claims that government oversight is inevitable if Bitcoin wants to grow and truly go mainstream. But with technology advancing so quickly, the wheels of government moving slowly, and most politicians barely able (if at all) to grasp how the technology that powers cryptocurrencies works, cryptocurrency regulation faces an uphill battle, at best. Even if one technology were banned tomorrow, another one that gets around the new law would undoubtedly replace it. Governments need to tread lightly here, lest new regulations cause more problems than they solve.

Whatever the government decides to do with cryptocurrencies, the best way to cripple cyber crime is for organizations to engage in proactive cyber security practices that prevent hacks from happening in the first place.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Schedule some time with our Superheroes for a Free Assessment!

The Healthcare Industry Cybersecurity Task Force’s report on healthcare cyber security echoes a similar study on medical device security issued by Synopsys and the Ponemon Institute.

On the heels of a damning study by Synopsys and the Ponemon Institute, which provides a blow-by-blow accounting of the many problems with medical device security, a federal task force has finally released its report on the poor state of healthcare cyber security and how to fix it. The report, issued by the Health Care Industry Cybersecurity Task Force, was mandated by the Cybersecurity Act of 2015, identifies six “high-level imperatives” to improve healthcare cyber security in the U.S.:

1. Define and streamline leadership, governance, and expectations for healthcare cyber security.
2. Increase the security and resilience of medical devices and health IT.
3. Develop the workforce capacity necessary to prioritize and ensure healthcare cyber security awareness and technical capabilities.
4. Increase healthcare cyber security readiness through improved awareness and education.
5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
6. Improve information sharing of industry threats, risks, and mitigations.

Medical Devices, Legacy Systems Pressing Issues for Healthcare Cyber Security

The federal task force’s findings on medical device security echoed those of the Ponemon/Synopsys report, meaning that it is largely nonexistent: There are no standards, no testing procedures, and no accountability. The task force urges medical device manufacturers to improve manufacturing and development transparency; bake cyber security into the software development lifecycle when developing medical devices and EHRs (including issuing security patches throughout the product’s lifecycle); and collaborate with healthcare organizations to establish standards for device-device authentication.

Legacy systems also pose grave risks to healthcare cyber security. This was illustrated by the recent WannaCry ransomware attacks, which targeted machines using older versions of Windows and hit the U.K.’s National Health Service particularly hard, forcing facilities to cancel procedures and divert emergency patients. Among other proactive security measures, the task force instructs healthcare organizations to 1) inventory their data environments and document unsupported operating systems, devices, and EHR systems; 2) when possible, replace or upgrade systems with supported alternatives that have superior security controls; 3) in cases where equipment cannot be replaced, develop and document retirement timelines; and 4) leverage segmentation, isolation, hardening, and other compensating risk reduction strategies for the remainder of each piece of equipment’s lifecycle.

A Point Person and a Set of Standards Are Needed

Modern healthcare organizations operate in a complex data environment that involves not only the protection of patient records but also payment card data, tax data, and a multitude of devices used both to store information and treat patients. Meanwhile, healthcare organizations are subject to multiple security standards and frameworks, many of which contradict each other. Worse yet, in some areas, such as smart medical devices, there are no standards.

To address these issues, the task force recommends appointing a single person within the Department of Health and Human Services (HHS) to coordinate healthcare cyber security initiatives and liaise with other cyber security centers within the government, as well as a cybersecurity rapid response team whose job would be to respond to vulnerabilities in medical devices.

Further, the task force recommends utilizing the National Institute of Standards and Technology (NIST) Cybersecurity Framework to standardize risk assessment and definitions industry-wide. That said, the task force recognizes that the NIST framework is generic, and not all sections can be directly mapped to a healthcare environment; therefore, the task force recommends that NIST work with HHS to develop an application of the framework specific to healthcare cyber security environments.

The key takeaway from the taskforce report is that proactive cyber security, with risk assessments, testing, and robust compliance standards, will win the day.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

[bpscheduler_booking_form]

Four Important Lessons from the WannaCry Ransomware Attacks

The recent WannaCry ransomware attacks put cyber security on the front page of every newspaper in the world. Now, everyone knows what ransomware is and how destructive it can be, but will anything change? Following are four critical lessons that both organizations and individuals should take away from WannaCry.

No Organization is “Too Small” or “Unimportant” to Be Hacked

Too many businesses still think that only national or multinational firms, or companies in certain industries, have to worry about cyber security. However, hackers do not discriminate, and neither did the WannaCry ransomware. WannaCry, which took advantage of vulnerabilities in old, unsupported versions of Windows, sought out victims according to the operating systems they were running, not the size of their enterprises. While infections at large organizations like Renault, Telefonica, and the NHS grabbed the media’s attention, small businesses were hit as well. Often, small organizations are even more susceptible to hackers than multinationals because small firms are more likely to be running wildly outdated operating systems or have a “homemade” website that may or may not be secure.

Still not convinced that your small enterprise needs to take cyber security seriously? Consider the following: Over 40% of cyber attacks target small businesses, and the U.S. Securities and Exchange Commission reports that 60% of small firms will go out of business within six months of a data breach. There is no such thing as a business that hackers “don’t care about,” and the fallout from a hack can be catastrophic.

You Must Back Up Your Systems & Data

The best way to defend against an attack like the WannaCry ransomware is to take proactive steps to ensure it doesn’t happen in the first place. However, if an attack does occur – or if your computers are damaged in a fire or a natural disaster – a backup can mean the difference between reopening your doors immediately and your company being shuttered for days, weeks, even months. Because ransomware is often programmed to snake its way through an enterprise’s entire network, make sure that your backup drives are isolated from your main systems. Even better, partner with a secure cloud backup provider that is, at a minimum, compliant with AT-101 SOC 2.

Update, Update, Update

For all the havoc it wreaked on government entities and private-sector organizations, the WannaCry ransomware left nearly all home computers unscathed. This is because individuals, unlike organizations, are more likely to be running modern operating systems, and WannaCry took advantage of vulnerabilities in old versions of Windows, some of which Microsoft stopped supporting years ago. About 98% of victims were running Windows 7, which was first released in 2009. Yet none of these infections had to happen. Windows 7 is still being supported by Microsoft, and the company issued a patch for the OS in March. Apparently, though, a lot of users never downloaded it. In some cases, this may have been due to a mysterious flaw in Windows 7 that causes some machines to spontaneously stop auto-updating.

In today’s threat environment, clinging to antiquated operating systems and software is downright dangerous, as is not regularly updating modern systems. Software and OS updates often contain important security patches addressing new and emerging threats.

You’re Probably Better off Outsourcing Your Cyber Security

Cyber security moves at the speed of technology, and technology is advancing at the speed of light. New threats are emerging daily, and just keeping up with it all is a full-time job. Most businesses simply don’t have the in-house expertise, time, or budget to handle all of their cyber security needs in-house. Outsourcing your cyber security, risk management, and compliance to an experienced, reputable firm such as Continuum GRC is cheaper and far safer than attempting to protect your systems on your own.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

[bpscheduler_booking_form]