Identitätssicherheit

3 reasons to invest in digital identity security

Our world is increasingly digitized and in many areas only takes place online. This also increasingly applies to our everyday working lives; companies are networked in the cloud thanks to communication and collaboration tools. Our systems such as CRM or ERP have also been outsourced to the cloud for better data availability. At the same time, questions are now increasingly being asked about the best possible protection for this outsourced infrastructure. It has become clear that VPN and virus protection alone are no longer sufficient to reliably protect your company’s IT from unauthorized access.

For this reason, you should definitely consider—if you haven’t already done so—meaningful identity management and deeper protection of your employee identities. This includes the question of how your employees can digitally identify themselves. So they can protect themselves from misuse of their own identity and its consequences. We’ve rounded up 3 key reasons why you should invest in digital identity security in your organization now, at the latest.

Secure tomorrow’s workplace today

The future is digital—that also means remote! True, remote work has existed before 2020. But 2020 was a booster for faster digitization in office applications. “Digital-only” therefore already applies to collaboration and communication. Despite the misgivings of many companies, employees have coped surprisingly well with this. They have quickly learned to anticipate these new ways of working and reap the benefits for themselves. But this is only part of the story. Although the introduction of communication and collaboration tools has been well received, network security and, in particular, the safeguarding of employee identities have often been neglected. The priority was to get operationally up and running quickly; thinking about IT security was a second step if it was thought about at all.

Yet the shift of (working) life to the digital world has created the perfect conditions for cybercrime. Phishing and social engineering attacks on companies have increased as a result of the crisis. By introducing a second factor to secure applications, they prevent identity misuse. After all, only those who can identify themselves twice—with a 2nd factor known only to them—will ultimately gain access to a file or system. Sensible and restrained access management also ensures that only those employees who really need access to sensitive areas of your corporate IT have it.

Improved usability increases employee satisfaction

Today, we expect a high level of usability and a consistent user experience with our applications. No longer just in our private lives, but also in the applications we use at work. Passwordless login increases the productivity and acceptance of your employees: because they don’t have to remember a multitude of complex passwords and can log on to their PC and applications with a single click. The combination of a multifactor authentication solution with single sign-on functionality allows fast, convenient, and uninterrupted switching between different applications. Without compromising on security.

Simplify your compliance processes

Centralized management of user identities and simplified login via single sign-on increase the productivity and effectiveness of your employees in the long term. Lengthy processes for (repeated) logins to individual applications and mandatory password changes in specific cycles are eliminated. Life is also easier for your administrators, who can dispense with complex password policies and the need to control them. Even a simple, insecure password has become a secure login with the highest security requirements through MFA.

At the same time, with a sensible Identity and Access Management and a secure multifactor authentication method, you introduce an important milestone to protect your corporate compliance. After all, the theft of (employee) identities poses a profound threat to your company; the compromise of your IT landscape and the possible associated data loss can be followed by data protection lawsuits and corporate compliance investigations. These are often more expensive than the actual damage caused by lost productivity.

Digitalisierung Remote

Digital Collaboration—IT security while working from home

The past year was a catalyst for the digitization of German companies. This relates in particular to how and especially where we worked. Many companies suddenly and mostly abruptly started to work from home.

According to Bitkom, almost every 2nd employee was affected by this development in the spring. However, this accelerator of many digitization projects also has downsides. Since the attack surface for cyberattacks has increased as a result of the decentralized IT infrastructure. We should therefore take a look at how well IT security has been ensured in this time. And especially ask ourselves the question: What could we learn from this for the current “home office”-wave?

IT security or smooth operations while working from home?

Danger from cyber attacks while working from home

This should not be a matter of decision! Even if reality has shown that this was certainly the case. And unfortunately, it is again the case today. Because many companies have reacted to the crisis: Due to the decentralized way of working, new cloud and collaboration tools had to be introduced, such as MS Teams or Zoom. Often, however, the question of the security of these applications, which were operated almost exclusively via private Internet lines, has fallen by the wayside.

Virtually overnight, employees—and with them, the IT they use—have started to work from home. Since many companies were not prepared for such a situation, this also meant that their IT structures were not designed for remote work at all. Therefore, the priority here was to create structures that kept the daily business alive despite the home office—which often meant that questions about security took a back seat.

Lack of security standards while working from home

Security gaps

Both companies and employees had to consider so many things: How do I deal with the fact that my company laptop is running on the same network as my in-house network printer, the private laptop as well as my children’s smartphones? How can I ensure that the private network printer does not allow intrusion into the company network?

Responsibility for the security of in-house networks and the devices used are often passed on to employees. Often, however, the basics of IT security are lacking, such as training in IT security-related actions, for example, in the case of phishing emails or about fraudulent websites, or the necessary infrastructure for working from home.

A survey by Computerbild makes it clear that basic security measures were not being used: Only just under two-thirds of respondents said they had password protection for their computers and installed virus protection programs. And only just under half mentioned the (necessary!) separation of devices used for private and business purposes. VPN connections and multifactor authentication (MFA) were ultimately affirmed by only about one-third of respondents. This clearly shows that only just under a third of all home workplaces meet these IT security standards.

Whose IT security is affected while their employees are working from home?

Working from home affects everyone

In short, everyones.

However, small and medium-sized companies, in particular, lull themselves into a false sense of security; in fact, size is no guarantee that they will not be affected by ransomware attacks or similar attacks. According to a recent Bitkom study, it is small and medium-sized companies that are particularly lucrative for extortionists; unlike large companies, they often have no way of bridging economic downtime and the associated costs. A “small” ransom of a few 100,000 to a single-digit million figure often seems to be paid more quickly here than waiting for lengthy decryption processes with an uncertain outcome. Multinational players have completely different (financial) options here.

The human factor as the greatest target

Risk due to the human factor

Yet it is almost always the human factor that poses the greatest risk to your company’s security. Our algorithms and the AI that underlie today’s virus scanners and threat protection are so good and sophisticated that they can detect malware well. Unfortunately, humans often don’t: In the morning, we want to briefly skim through the mails over a cup of coffee. We are still tired, perhaps also under time pressure; especially in such situations, we are inclined to open an attachment or follow a link without closer examination. Especially in the environment of our own places, such carelessness is fatal: the infrastructure is less protected, the virus programs may not be up to date. A single infected PC can then paralyze your entire IT infrastructure.

In addition to carelessness, attackers also rely on emotions. Data and personal (identification) information are thus often willingly revealed. It is true that malware spam inherently uses social engineering methods to play on people’s fears and concerns. Central themes in recent months have been the new insecurities associated with the Corona crisis. Supposed instructions from superiors, authorities, or colleagues—today, well-crafted malware spam can hardly be distinguished from genuine requests and is also not intercepted by Mail Protection. This also becomes clear when you consider how well hackers have succeeded in tapping personal data via fake Corona help pages. Currently, the LKA in North Rhine-Westphalia, for example, is warning against such offers.

The consequences of a ransomware attack

Consequences Ransomware

Ransomware is malware that prevents access to local data or a network by encrypting and/or stealing data. The aim is usually to extort ransom money to unlock the data. Another extortion method is also the threat of successive publication or sale of sensitive data on the Internet if payment is not made.

Ransomware is usually spread via links or attachments in emails, with the spreaders relying on advanced social engineering methods and also exploiting professional constraints or emergencies in particular. After all, without human assistance, infecting the PC is almost impossible, or at least unrealistic. The human factor is the biggest vulnerability in your system. This is because, despite bugs and loopholes in programs, an attack via humans themselves is less time-consuming and resource-intensive.

The damage of such attacks—both financially and in terms of reputation—is enormous. Only very few companies are adequately secured against ransomware attacks, although around three-quarters of German companies are affected by data attacks. The damage is often in the millions, as ransomware encrypts systems and data, making it impossible to continue working. If backups are also encrypted, which are often just as vulnerable to attack as the original data due to their location on the servers, companies must reckon with definitive data losses. Since most ransomware attacks rely not only on encryption but also data extraction, even after successful decryption, further data protection lawsuits by those affected are to be expected.

These measures secure your IT

IT security while working from home

So you see: In addition to the technical component, the human factor, in particular, must be included when securing your IT systems. After all, the human factor is THE weak point in your IT system.

Short-term measures such as the strict separation of private and professional devices are a good start for the current situation. In the long term, however, you need a holistic strategy that starts with the choice of technical solutions used. This includes VPN clients, cloud applications, firewalls, and anti-virus programs. Ideally, these building blocks go hand in hand, so that the maintenance effort for your IT infrastructure is reduced.

It is also essential that you become even more aware of the importance of the human security risk—and take active measures. This starts with training courses on social engineering and manipulation. This training should not only focus on the basic problems but also explain the technical aspects. Only then can a basic understanding of the dangers of such attacks emerge.

Become aware of the importance of identity protection! Today, this can be secured with simple means such as multifactor authentication. This also kills two birds with one stone: modern multifactor authentication relies on passwordless login methods and single sign-on. This not only protects your IT but also offers your employees a simpler and more effective work experience.

DoubleClue – Your protection for the human factor

DoubleClue App

Therefore, we advise you to implement an improved identification policy in your company. Using multi-factor authentication, users must identify themselves through a second component when logging on to different applications or devices. This ensures security against unauthorized use by third parties. Multifactor authentication is especially important for all those employees who have administrative rights or remote access rights to third-party servers and devices. No matter how well you train your employees, a technical barrier that prevents unauthorized access without exception is mandatory. As a single human error by a single user is enough to cause maximum damage.

Your advantages when implementing DoubleClue

  • Short roll-out time: In total, you need about one day to secure your corporate network against external attacks with multifactor authentication
  • We accompany you completely during implementation and roll-out and offer you full support afterward

Request your 30-day free trial here.

ePA

How secure is the Electronic Patient Record?

Since the beginning of the month, the Electronic Patient Record has been available in Germany, in which insured persons can store and manage their data in a central location. The central storage of their health data is intended to facilitate communication between patients and doctors. In the initial phase, however, patients will have to take care of filling their digital files themselves. There are also still data protection concerns: Patients will not be able to select which doctor has access to which parts of the medical record until 2022. For the time being, anyone who wants to use the Electronic Patient Record provides their doctor with all the information it contains – or none at all.

What is an Electronic Patient Record?

The Electronic Patient Record allows patients to voluntarily store their health and diagnostic data centrally in one place. The information it contains can be shared with doctors, pharmacies, and hospitals to shorten treatments. Or prevent duplicate examinations. In the future, patients will also be able to use the app to manage the information it contains. They can then decide which doctor can see which information. The digitization of bonus books, vaccination cards, and maternity records is also planned for the future.

When does the Electronic Patient Record come into effect?

Patients will be able to have their health insurers issue the Electronic Patient Record from the beginning of 2021. For the time being, however, they will have to fill it out themselves. Until July, it will only be available to around 200 practices and hospitals on a trial basis; only then will its use be extended to the whole of Germany. The health insurers, on the other hand, have no insight into the stored data, even though the Electronic Patient Record is intended to provide communication channels to their own health insurer. This prevents the insured person from suffering any disadvantages as a result of diagnoses or findings.

How secure is my data?

The Electronic Patient Record stores patient data in encrypted form. Data is exchanged with doctors and other healthcare facilities via the so-called telematics infrastructure network. However, critics have still identified security deficiencies here: For example, the TI’s virus protection is said to be insufficient to actually protect sensitive health data reliably. Also, too lax IT security measures in medical practices can be a security risk. Easy-to-guess passwords or shared admin and access rights are unfortunately still commonplace in many medical practices. You can also read a comprehensive review of the current data security in healthcare as well as the criticism of the telematics infrastructure in our blog post here.

Cases from abroad, such as a successful hacker attack in Finland, have also shown how weakly protected our sensitive healthcare data still is. Experts, therefore, advise being selective about what information you want to include in the Record. The inclusion of psychotherapeutic documents is currently not advisable. This is because such data could have negative consequences for those affected when looking for new insurance companies or employers, should this data fall into the hands of third parties without authorization.

Unfortunately, the risks and benefits of the Electronic Patient Record must be weighed up here as well. On the one hand, centrally stored data enables faster and more favorable treatment success. This saves time, costs, and nerves on both sides. However, if this sensitive data falls victim to a cyberattack, the insured person may suffer disadvantages, the consequences of which cannot yet be assessed.

Will you use the Electronic Patient Record? Join the discussion here.

DDoS-Angriff auf Impfportal

DDoS attack on vaccination portal

At the end of December, vaccination against the COVID-19 virus began in the European Union; it has now become known that a cyberattack on the vaccination portal of the Association of Statutory Health Insurance Physicians in Thuringia and the Thuringian Ministry of Health had already occurred in December. This was probably a so-called DDoS (Distributed Denial of Service) attack. As the vaccination center announced, the servers were overloaded by a high number of requests and collapsed as a result. Booking vaccination appointments via the site was therefore initially not possible.

What is a DDoS attack?

This form of cyberattack is an attempt to paralyze a server, a website, or even just parts of a website. For this purpose, countless (and pointless) requests are sent to the respective server within a very short time. How many requests are necessary depends on the server’s capacity. In Thuringia, about 158,000 requests were necessary.

The requests are usually sent by a mixture of botnets and reflectors. Botnets are infected devices that can be directly controlled by the hacker by means of malware. These “zombie” computers then send misleading connection requests to other computers, which are then called reflectors. These reflectors do not necessarily have to be infected themselves. Because here, hackers exploit the characteristics of our modern devices to also want to “answer” queries. In this way, they manage to build up a comparatively small botnet and also cover their tracks, since devices that are not involved in themselves now also support the attack.

Who is the target of DDoS attacks?

The good news, if you will, upfront: the target of such attacks is not private individuals. Such attacks usually target large websites and opinion leaders – but also, as the current case shows, the healthcare sector, governments, or banks. In other words, important and critical infrastructure. This is why some security experts classify DDoS attacks in the realm of digital warfare, as they can paralyze critical civilian networks and thus harm society.

It is important to note, however, that a DDoS attack does not primarily have monetary goals. It is often about protesting against a site that does not correspond to one’s own political opinion. Or even just to prove that one has the skills to carry out such hacks. These attacks become really critical when the primary goal is not to cripple the site, but other actions are running in the background. The superficial distraction facilitates the cover-up of a more serious hack in the background. If critical infrastructures are affected, a ransom demand can also follow in order to release the server as quickly as possible and get it up and running again.

For the current case, however, the background of the act is not further known.

How can you protect yourself from a DDoS attack?

Since you as a private individual are not the primary target of such an attack, the sobering answer here is: very little to nothing. However, your primary goal should always be to protect your PC as best as possible against malware being installed. After all, this is how you can at least prevent yourself from becoming part of the botnet. Therefore, always update your virus software on the devices you use in a timely manner. The router also plays an important role in protecting your network and should therefore always be up to date. The same applies to your passwords. Wherever possible, set up modern password protection with multifactor authentication. A password manager can help you keep track of your passwords.

As a web administrator, you basically have options available to defend against such attacks. For example, if you notice an unusual data stream in time, you can redirect it to a “black hole” (= a non-existent server). A bandwidth management tool as well as good virus software will help you in advance to fend off simple DDoS attacks if necessary. The last option is to rent a higher bandwidth to ensure availability despite high traffic. For your users, unfortunately, the only option is to wait until your service is available again.

Mimikatz

Mimikatz – a cute name, but a dangerous Offensive Security Tool

The Windows security tool Mimikatz may have a cute name – but it also has a great potential for damage. It was originally developed to demonstrate the security vulnerabilities of Windows systems, as there is a gap in the authentication process. It quickly evolved from a tool for white-hat hackers to one for black-hat hackers. Nevertheless, even today, admins still use the tool to detect and then close security holes in their own systems. Therefore, Mimikatz is one of the best known Offensive Security Tools (OST), which is freely available as open-source.

How does Mimikatz work?

With the help of Mimikatz, it is possible to read passwords, PINs, and Kerberos tickets from Windows systems, which is why it is often used by malware attackers. For this purpose, Mimikatz uses the Windows Single-Sign-On function, which has the so-called “WDigest” feature. This feature is used to load encrypted passwords and their keys into memory. Especially companies or other organizations use this feature to authenticate user groups. Although WDigest is disabled by default in Windows 10, anyone with administrative rights can enable it. And thus read out the passwords of the user groups using Mimikatz.

This makes the software a powerful tool for hackers

Root Access is required to successfully introduce Mimikatz into a system. Once the software is in the system, there are different ways how Mimikatz can work:

Pass-the-hash – In earlier versions, Windows saved passwords in a so-called NTLM hash when logging in. Attackers can therefore use Mimikatz to copy this exact hash string and use it on the target computer to log in. The password does not even have to be known for this, since this character string is sufficient for authentication.

Pass-the-Ticket – Newer versions of Windows no longer use an NTLM hash for authentication, but so-called Kerberos tickets. Mimikatz is now able to read this ticket and pass it on to another computer so that you can log in there as this user.

Over-Pass the Hash (Pass-the-Key) – With the help of the key obtained in this way, hackers can pretend to be users who can be accessed via a domain controller.

Kerberos Golden Ticket – A golden ticket gives you domain administration rights for each computer on the network. Perfidious: Golden tickets do not expire.

Kerberos Silver Ticket – Kerberos gives a user a TGS ticket that is used to log on to all services on the network. This is possible because Windows does not check TGS tickets at every login.

Pass-the-Cache– In general, this is the same tactic as a pass-the-ticket attack. However, no Windows system is compromised here, but the stored and entered login data is used on a Mac, UNIX, or Linux system.

To protect your system

Ideally, Mimikatz should not be able to access your system at all. A prerequisite for an initially secure Windows system is an upgrade to Windows 10 (or at least 8.1). If this is not possible, it is at least advisable to disable WDigest manually, although this should probably only be a small hurdle for a skilled attacker. Regardless of the Windows version used, a configuration of the Local Security Authority (LSA) is necessary.

Unfortunately, an overriding admin password is still common practice in companies today, although this is a well-known security hole. Every Windows machine needs its own unique administrator password. The combination of LSASS and safe mode makes Mimikatz ineffective under the newer Windows versions.

You should also educate your employees about the dangers of phishing emails and limit the use of macros,

Discover mimic cat

Detecting facial expressions is a difficult task since most detection solutions do not work with the software. The only real solution to reliably identify Mimikatz is to specifically examine your own system for it. The use of a manual network monitoring component is therefore highly recommended.

So what to do?

In the end, Mimikatz remains a highly dangerous and efficient tool for hackers that can easily slip past automated security checks. It is therefore the human being’s duty to remain vigilant. Simple security installations like unique admin passwords for each machine. Only necessary admin and remote access and multi-factor authentication, which does not work with the logic of Windows systems, form a strong hurdle.

Black Friday

Black Friday – How Cybercriminals are hunting for your data

It’s the end of November and thus bargains time for most of us: Under names like Black Friday, Black Week, Cyber Week, Cyber Friday – or other creative names – companies are now luring us bargain hunters in the fight for pre-Christmas business. But the bargains not only attract us as consumers but also cybercriminals. And these in turn lure us with “offers” via e-mail or online ads, to elicit our data unnoticed. The British National Cyber Security Centre (NCSC) has now renewed its warning on the occasion of the Shopping Week to be careful when shopping online. Consumers should be particularly careful where they store and what data they disclose when they do so, especially in the rush to buy and find bargains.

Black Friday offers via phishing e-mails

However, this mindfulness begins even before the actual shopping experience. Because under the flood of actual offer e-mails from various providers, one or the other phishing e-mail can also be hidden. Of course, everyone wants to participate in the pre-Christmas business, but these phishing emails are out to get usernames, passwords, or credit card information – for nothing in return, of course. You’d better be wary of receiving offers from merchants you don’t know. Or when direct links to bargain items are offered. In any case, it’s better to manually enter the merchant’s site into the search box to make sure you end up on the right homepage. The offer will be there already if it is a real offer from the dealer. Because often enough the rule is: If the offer is too good to be true, then it probably is!

More information?! – Then better no information

There is nothing to be said against trying out smaller and unknown retailers and not always buying from the same well-known multinational supplier. But there are a few clues that help to distinguish serious websites from dubious ones. For example, the payment process should be clearly arranged and no personal information should be requested that is not necessary. Additional security details such as a codeword or a secret question may sound trustworthy at first – but they are not at all. During the payment process, you should really not be asked for your mother’s maiden name, your first pet, or your brother’s place of residence. At this point at the latest, you should cancel the purchase process. Ideally, before you have given your bank details.

Check the security of the payment process

Completely different from an unnecessary security query, the question of multi-factor authentication is to be evaluated. Multi-factor authentication serves to identify you as the buyer. Without entering a second factor in addition to the password – usually, a code sent to you by e-mail or SMS – nobody can place an order. This ensures that only those who have access to your e-mail address or your smartphone can carry out this process. However, not all serious online stores offer this: If you want at least a little security, check the address bar of your browser before entering your data. If there is a padlock symbol there, it means that the connection to the merchant is secure. Of course, this does not mean that the dealer is legitimate, but at least the connection is secure.

And if the store asks you to save your payment data, do so only if you are really sure that you want to order there again. Otherwise, this information is absolutely unnecessary. And creates another factor of low security.

Black(out) Friday and Amazon Phishing Day

A similar phenomenon as around Black Friday can also be found on Amazon Prime Day: Here, too, cybercriminals take advantage of an event and the bargaining mood of the customers around it to obtain passwords, credit card data, and the like. In their phishing campaigns, cybercriminals use a similar structure to their fake Amazon site and often use similar actions as the “real” Amazon. These actions are especially perfidious because the URLs also want to come as close as possible to the original and have at least “amazon” in their name. Often the URL is unnecessarily long so that it is not obvious at first glance that this is a completely different page, which seems to belong to Amazon, but is ultimately hosted somewhere else.

You should always be suspicious if you are not supposed to enter a password at Amazon – but other personal information, including your credit or debit card number. Security experts therefore strongly recommend that you always start on the actual page and never from an email link, even for special promotions such as Amazon Prime Day or Black Friday. Also, if you enter your information differently than usual, you may be dealing with a fraudulent fake site. And pay attention to details: Does the page look the way you are used to? Is the shopping cart icon in the same place as usual? Are all pictures in focus? Can you get to the store’s homepage by clicking on the store’s logo? Is continuous navigation in the store possible? Is the URL complete and logical? Only when all these things are correct should you start the payment process.

cybersecurity in the healthcare system

Data protection and cybersecurity in the healthcare system

The digitalization of our healthcare system is progressing massively: The German federal government is promoting the networking of medical facilities through the so-called telematics infrastructure Telematik Infrastruktur, TI). As a result of the corona crisis, the need for online communication between doctors and patients has increased. In addition to these developments, the electronic patient file will be introduced in January 2021.

With such networking of our healthcare system, it is time to take a critical look at the security of the systems and thus of our data. The importance of cybersecurity for the protection of patient records is unfortunately demonstrated by those cases in which attackers have succeeded in penetrating an institution’s system, paralyzing it, or – in the worst case – even stealing data records.

There have also been many reports of major attacks on hospital IT worldwide in recent times. However, it should not be forgotten that cyberattacks can affect not only large medical institutions. It also affects small, independent doctor’s offices – such a singular attack can threaten their existence for various reasons. And it also involves risks for us consumers.

Securing IT structures in the healthcare system properly

Basics of secure IT systems

First of all, medical institutions, more than any other, must carefully select and maintain their IT infrastructure. An up-to-date operating system with all relevant security updates, a functioning hardware firewall, and an up-to-date and intelligent anti-virus program should be standard. Besides, there should be regular security updates and, ideally, daily backups that cannot be processed from the system. In this way, facilities can be up and running again quickly in the event of a ransomware attack. And the loss of data in your own systems is at least limited.

But password security is also an important point that all too often gets lost in everyday professional life: For many physicians in private doctor’s office, it is necessary to find a compromise between security and practicability. Especially because computers at reception or in laboratories may be used by several people. Nevertheless, even these shared passwords should comply with security standards and be renewed regularly. We also recommend the introduction of a practicable multi-factor authentication.

Since this is a sensitive infrastructure, clear rules for IT use in the workplace should also be established: May private mails be checked? Are online purchases or other surfing behavior allowed? May own storage media be brought and used? Are there special devices that are not connected to the doctor’s office network? It is important here to increase awareness of possible security gaps that could arise from this behavior. Employee training courses on cybersecurity, phishing, or social engineering should therefore be held regularly.

Cyber insurance can also minimize the (financial) risks that arise after an attack has taken place. Often good security concepts ensure that the contribution is minimized, and only the compulsion to deal with this topic creates good conditions for the actual implementation of plans.

Increased security thanks to telematics infrastructure (TI)?

With the large-scale introduction of the telematics infrastructure (TI) in German medical doctor’s offices since 2018, the security of the systems was to be further increased. Patient information was to be made available quickly and securely via this secure channel to reduce treatment costs through repeated examinations. However, reports are accumulating that the connection to the network is not as secure as announced.

Which security gaps in TI are described?

Although the TI has been forced to connect to the network, liability in the event of cyber-attacks in particular – and thus for data protection issues – has not been sufficiently clarified. Last year, the IT-expert Jens Ernst from happycomputer already revealed considerable data protection deficiencies when connecting to the telematics infrastructure.

This starts with the way the TI connector is integrated into the network of doctor’s offices. This is where you have the option of choosing between serial and parallel integration. Although serial integration initially requires more installation effort, it offers the advantage that all devices in the doctor’s offices are included in the federal security network. Extra protection on the part of the doctor’s office owners is not necessary according to information of the Gematik. Parallel integration, on the other hand, requires that the physicians make their own efforts to secure their existing systems and devices. This actually only makes sense for larger units that have already integrated many devices into their system before.

Nevertheless, it seems that most units were connected in parallel operation. In this case, the doctor’s office owners themselves would now have to ensure that their own systems were secured. However, many claims that they have not been sufficiently informed about this by their IT provider. Ernst describes that even with the few facilities that have been connected serially, security systems do not function correctly. This is because the firewall of the TI connector in use would not be sufficient to detect an anti-virus test file that he had installed. This means that even in this case there is no security against access by third parties without further security measures. In the vast majority of doctor’s offices, there is therefore no hardware firewall, regardless of how they are integrated. Besides, the virus protection on the computer and the software firewall, which every computer has today, was often switched off.

How can the healthcare system guarantee cybersecurity?

Ernst calls for an open approach to the topic of cybersecurity, which basically rests on three pillars:

  1. A doctor’s office needs a higher security level than just a router, as is often the case today.
  2. Sensitive data should not be sent via a WIFI network. The connector’s LAN network sends data unencrypted; by intruding into the WIFI, it is possible to “listen in”.
  3. Devices that cannot be sufficiently protected due to their design should not be used or operated in a DMZ (Demilitarized Zone).

He also proposes the development of a DMZ in which all TI systems are included. This is currently not even the case for the telematics infrastructure itself. He also criticizes the fact that IT specialists do not need a separate certificate from Gematik to connect the TI. This would ensure that only trained personnel are allowed to carry out the installation and that sufficient educational work is done with the liable physicians.

In summary, Ernst states that the security of all systems can only be guaranteed if the vast majority of surgeries completely remove their computers and devices from the network. Neither the TI connectors nor their own systems would offer any protection whatsoever to safely store consumer data.

As security experts, we too say that security should clearly be the most important starting point for digitization. The security of the systems must be guaranteed before any equipment is connected.

What do you think? Discuss with us.

Cybersecurity in hospitals

Viruses in hospitals – Cybersecurity in the Corona pandemic

The corona pandemic is pushing hospitals and care facilities to their limits. And this also affects the cybersecurity of many facilities. According to Interpol, an increasing number of attacks on the IT network of hospitals has been reported in recent months.

Particularly in the USA, the FBI has been warning since October about increasing cyber attacks on hospitals and the service providers connected to them. At the end of October, various facilities were successfully infected with so-called ransomware. Due to data encryption, the normal operation of the hospitals was no longer possible. Read more here.

But why do hospitals in particular offer such good targets for cyberattacks?

IoT implementation despite low security standards

Hospital IT is one thing in particular: historically grown. And that is exactly problem, in two respects. Historical means that sometimes not all operating systems and application structures are state-of-the-art. Often important security updates or patches are missing to protect the systems. At the same time, the technical infrastructure in the healthcare sector is growing rapidly due to the digitalization of various processes.

This affects medical devices that can communicate via IoT, but often also with the office network. The latter is potentially high-risk since an attack on office computers also affects the IoT devices in the background. Portable medical devices that remotely monitor patients’ vital signs could fail under certain circumstances. A cyber attack would therefore be life-threatening for patients.

Also, hospitals are using opportunities for further digital expansion in the area of office IT: new PCs, tablets, or other smart devices are being purchased that can be used to communicate patient data internally. However, these devices may not even be designed for use in a highly sensitive environment such as a hospital and do not comply with data protection laws or cybersecurity standards. Weak points in their security systems are therefore also ideal starting points for compromising the technical infrastructure.

Besides, some institutions are forced to cut costs and often lack the budget for adequate security of their IT systems. Although they invest in the latest technology, they lack the money and know-how for the corresponding security. And sometimes the clinics themselves are not in control of security installations. Whenever they are connected to third-party providers and their systems. Because even if their own IT has very good security standards, this is not necessarily right for external providers.

Cybersecurity – not just a matter of time

Lack of personnel and thus lack of time are unfortunately everyday life in the medical and nursing professions. Often there is not enough time for the actual work – so where do they get the time to deal with cybersecurity? Most people are probably familiar with simple rules such as switching on a lock screen as soon as you leave your desk or checking the sender of an e-mail. But often the necessary time and/or awareness of the dangers involved is lacking in everyday business life. Employee training courses on cybersecurity could help here – if only time and budget were available.

However, increased attention would make sense. Hospitals are public institutions and therefore easily accessible. Even if the measures in the corona period make access more difficult, it should at least be noted that reception in particular poses a potential cybersecurity risk. In an unattended moment, a potential attacker could enter the hospital’s IT system and could unnoticed install malware on the reception PC via a USB stick.

Also, modern hospitals themselves act as IT service providers. WIFI access is provided for patients and visitors. If the systems are not detached from the actual company network, a potential gateway for hackers is left open.

Increasing the endpoint security of the diverse hospital IT landscape

As you can see, hospitals and other medical facilities already have a diverse IT landscape as a unit. These interwoven areas make the entire IT system vulnerable as soon as a weakness becomes apparent. Due to the sensitivity and criticality of the data and the associated devices and procedures, they require very high security standards. Increasing the endpoint security of KRITIS facilities should therefore be a concern.

A mantra that not only we repeat again and again is the active training of employees, which as an organizational unit belongs to endpoint security: Education creates an awareness of possible sources of danger and how to prevent them. A well set up mail protection is also mandatory for a KRITIS institution.

Besides, Internet access should only be available on those devices that need it. RDP ports (Remote Desktop Protocol) should be secured in such a way that access from outside is not possible. And above all: business-critical areas and the visitor and patient WIFI should not be connected under any circumstances!

And – we can’t repeat this often enough – activate Multi-Factor Authentication (MFA) for all applications connected to business-critical networks. This provides a high hurdle against intrusion by unauthorized third parties and above all against compromising the systems by them.

Malware

Malware-Attacks – what you should know about them

Digitization has nowadays arrived in all areas of our lives; we use smartphones or smart devices in our private lives on a daily basis as well as business laptops and work computers. But also the electronic payment options in supermarkets or the public rail transport; or in short: our entire public life has been digitized. This penetration of all our living environments makes our everyday life more comfortable. At the same time, it also makes us vulnerable to cyber-attacks.

Therefore, it must be our goal from the very beginning to protect our technical infrastructure as well as possible from malware and other criminal acts.

Cybercrime in Germany

Germany

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI)) is responsible for IT security at the federal level. In its recently published situation report on IT security in Germany 2020, the BSI states: Cybercrime is directed against private individuals as well as companies and organizations or institutions. Such attacks are often aimed at tapping personal data and deriving financial benefit from the information gained.

User’s responsibility – the human factor as the greatest risk factor for your IT security

Risk

The maintenance of your hardware and software is up to you. Therefore you as the user must check your actions; Next to missed software updates, the interaction with malicious e-mails or websites is still THE security gap in your IT system. To successfully install a malicious program on a device, the (active) help of the user is often required. For example, by carelessly clicking on a link or e-mail attachment that initiates the installation. In the worst case, all this happens without you as the user noticing anything.

Two terms that we often encounter in cyberattacks are phishing and social engineering. So-called phishing e-mails are fraudulent e-mails that serve to induce the recipient to commit self-harming acts. To achieve this, the attackers use social engineering techniques. This means the use of psychological tricks, such as exploiting fears, compulsions, or emergencies to achieve either the direct issuing of passwords and access data or the installation of malware by clicks.

Unfortunately, such e-mails are getting better and better, and even trained users can no longer necessarily recognize them as such at first glance. The unknown, missing, rich relative from the most absurd parts of the world has been replaced by deceptively real-looking e.g. PayPal-emails, which try to “fish” out the passwords and credit card data of the users.

Even bad grammar and incorrect vocabulary are hardly found in modern and well-designed malware spam. And – particularly perfidious – according to the BSI, even an https link is no longer a guarantee for security – in about 60% of registered malware spam in 2019/20 https links are already in use. Although the security certificate is supposed to identify secure homepages, it can be licensed free of charge on the Internet. Regardless of whether the content is safe for the consumer.

You should know this kind of malware

Code

According to the BSI, last year (June 2019 – May 2020) an average of around 322,000 new malware variants were created every day. Malicious programs are all programs that are harmful in themselves or that can enable other programs to cause damage. One variant is created by the further development of existing malware. It is particularly dangerous in the beginning, as anti-virus programs may not yet be able to recognize it as a danger.

Ransomware

Ransomware is malware that prevents access to local data or a network. The aim is usually the extortion of ransom money to unlock the data. Another extortion method is the threat of successive publication of sensitive data on the Internet if payment is not made.

Ransomware is usually distributed via links or attachments in e-mails. To achieve an action by the user the distributors rely on advanced social engineering methods. And also exploit professional constraints in particular.

Also, ransom software deliberately exploits weaknesses in remote maintenance and VPN access to penetrate deeper into a company network. According to the BSI, the targets in the last investigation period were especially company networks of financially strong and medium-sized companies. These include, for example, special suppliers for the automotive industry, the financial and health sector, and the aviation industry.

The damage of such attacks – both financially and in terms of reputation – is enormous. Only very few companies are sufficiently protected against ransomware attacks. It is worthwhile to already develop and test preventive plans for possible ransomware attack scenarios.

Emotet – a multi-level malware of new quality

Emotet is a good but at the same time an extremely harmful example of the further development of existing malware. According to the BSI, this software has been reappearing more frequently since September 2019 and accounts for the majority of malware attacks. The malware combines various attack strategies and in its current form can read e-mail contents and generate further spam e-mails using the information gained.

This is particularly dangerous and not necessarily easy to detect even for sensitized users, as the spam e-mails generated in this way come from real and known accounts. Emotet uses advanced social engineering methods for initial and further infection via email. Once installed, the account data is used to further infect other mail accounts through the pyramid scheme. The spying of the mail account, also known as Outlook harvesting, enables the program to send deceptively realistic-looking reply e-mails from the victim to other accounts. And this is usually completely automated.

In addition to expanding the infection network, Emotet infects the system by downloading further malware. For the past year, the BSI has mainly reported about Trickbot, a software that can spy on and sabotage the system. Trickbot can penetrate the user’s Active Directory and read out all user data and administration rights in the Domain Control Center. Besides, Trickbot enables attackers to actively access the system, to create new administration rights. Or to create backdoors, with the help of which information can be forwarded to the attackers unrecognized even over a longer time.

In the last step, attackers use the information obtained to access the system manually using ransomware (usually Ryuk). Here, the same methods are used in a classic ransomware attack.

Prevent malware infections

Prevention

A first important step towards preventing such attacks is targeted employee training on phishing as well as social engineering. This makes sure, these issues have enough awareness in your company. At the same time, improved backup structures with more frequent and so-called offline backups (i.e. backups that cannot be deleted or changed from the network) are part of a preventive plan against cyber-, especially ransomware attacks. These ensure that you are quickly operational again in the worst case.

Besides, the reduction of externally accessible systems to a minimum as well as an appropriate internal segmentation of the networks represent a further security level. To prevent a deeper infection of your systems, you should also consider an increased requirement for password security with multifactor authentication (MFA). Especially for administrators and those who have remote access rights. You should also reduce their number if possible. Regular and prompt updates of all operating systems, server and application software also increase the basic security of the systems.

Ransomware attack on US hospitals

Ransomware attack on US hospitals

Since Thursday night, the FBI has been warning of increased cyberattacks on various American hospitals. The used malware Ryuk encrypts the data of the infected systems and thus complicates the further operation of the hospitals. The attack on system-relevant infrastructure such as these is combined with requests for ransom money to release the sensitive data as quickly as possible. The exact number of affected hospitals is not known, only that hospitals in the states of New York, Oregon and Minnesota are involved.

The data encryption has caused significant delays in the clinic process, as the affected clinics have had to reroute some of their patients, which has delayed the waiting times for necessary treatments. Clinics in Germany are also sometimes victims of such cyber-attacks, which can be life-threatening for patients in addition to the financial loss of the organization.

A major ransomware attack took place in the summer of 2019 on central systems of the DRK-Trägergesellschaft Süd-West. Affected were the affiliated hospitals in Rheinland-Pfalz and Saarland, whose provision of care was delayed. According to the media, this incident, fortunately, had no further consequences for patients. No ransom was paid, and the incident lasted from 13th to 26th July. Sodinokibi was identified as the software used, and a Mobile Incident Response Team (MIRT) was deployed to determine the cause of the attack and restore the patient to a working condition.

The BSI (Bundesamt für Sicherheit in der Informationstechnik) recommends the establishment of a functioning and practiced emergency management for such ransomware attacks. It was crucial for the success of the measure that, on the one hand, the crisis treatment in the hospital works and patient care is ensured by analogue data acquisition. It is relevant for IT to narrow down the problem, find the cause and select the necessary measures.

To prevent such attacks from the outset, it is also advisable to sufficiently sensitize employees to the subject of phishing and social engineering and to improve and tighten regulations on password security for remote access. Multifactor authentication for administrative actions is recommended.

#Ransomware #MFA #Cybersecurity #Ryuk #Phishing #SocialEngineering