puts

An EU agency has grappled with thorny issues surrounding the adoption of IoT technology in hospitals to draft a series of best practice guidelines.

The European Union Agency for Network and Information Security (ENISA) study engaged information security officers from more than 10 hospitals across the EU, painting a picture of the smart hospital ICT ecosystem. Security experts at the agency analysed attack scenarios before coming up with a risk-based approach that focuses on relevant threats and vulnerabilities.

Increased risks ranging from ransomware attacks on hospitals IT systems and DDoS assault to hackers selling stolen medical data through cybercrime forums shows that a change in mentality by hospital IT staff and their mangers is required, according to ENISA. Modernisation and innovations such as remote patient care are pushing hospitals towards the adoption of smart solutions. Emerging security and safety issues are sometimes getting overlooked or ignored in this headlong rush.

The introduction of Internet of Things (IoT) components in the hospital ecosystem, increases the variety and volume of potential ways hospitals might become vulnerable to cyber-attacks, ENISA warns.

ENISA's recommendations from its report (PDF) centre on a three point plan.

  • Healthcare organisations should provide specific IT security requirements for IoT components. Only state-of-the-art security measures should be applied.
  • Smart hospitals should identify assets and how these will be interconnected before drawing up policies and practices.
  • Device manufacturers should incorporate security into existing quality assurance systems. Healthcare organisation should be involved in the designing systems and services from the very beginning.

ENISA executive director Udo Helmbrecht commented: "Interconnected, decision-making devices offer automation and efficiency in hospitals, making them at the same time vulnerable to malicious actions. ENISA seeks to co-operate with all stakeholders to enhance security and safety in hospitals adopting smart solutions, namely smart hospitals."

Healthcare is moving up on the policy agenda. The adoption of the EU Directive on Security of Network and Information Systems (NIS) covers healthcare organisations. ENISA plans to support EU member states with the introduction of baseline security measures to the critical sectors, focusing on healthcare organisations, from next year onwards. ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads


The Register - Security

The cybersecurity skills shortage has been discussed in many different ways over the recent years, but a successful hiring event held by the Department of Homeland Security has some wondering if that event was a sign of optimism or an outlier.

The Department of Homeland Security (DHS) held a two-day hiring event "aimed at filling mission-critical positions to protect our Nation's cyberspace" in July. According to a new blog post, that event garnered "over 14,000 applicants and over 2,000 walk-ins" and culminated with more than 800 candidate interviews and "close to 150 tentative job offers."

Angela Bailey, chief human capital officer for the DHS, said in a blog post that the DHS "set out to dispel certain myths regarding cybersecurity hiring," including the ideas that there is a cybersecurity skills shortage and that organizations cannot hire people "on the spot."

"While not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event," Bailey wrote. "We demonstrated that by having our hiring managers, HR specialists, and personnel security specialists together, we were able to make about 150 job offers within two days. Close to 430 job offers have been made in total, with an original goal of filling around 350 positions."

Gunter Ollmann, CSO for Vectra Networks, said although the event "was pitched under the banner of cybersecurity it is not clear what types of jobs were actually being filled," and some positions sounded more "like IT roles with an impact on cybersecurity, rather than cybersecurity specific or even experienced infosec roles."

"Everyone with a newly minted computer science degree is being encouraged to get in to cybersecurity, as the lack of candidates is driving up salaries," Ollmann told SearchSecurity. "Government jobs have always been popular with recent graduates that managed to scrape through their education, but would unlikely appear on the radar as interns for larger commercial organizations or research-led businesses."

Chris Sullivan, CISO and CTO for Core Security, agreed that the DHS event may not be indicative of the state of the cybersecurity skills shortage.

"It looks like DHS executed well and had a successful event but we shouldn't interpret that as a sign that cyber-defender resource problems are over. In fact, every CISO that I speak to has not seen any easing in the availability or cost of experienced resources," Sullivan said. "In addition, the medium to long term solution requires both formal and on the job training -- college curriculum is coming but much of it remains immature. We need resources to train the trainers."

Derek Manky, global security strategist at Fortinet, warned about putting too much into just a few hundred positions compared to the potentially hundreds of thousands of cybersecurity jobs left unfilled.

"The DHS numbers are relatively small compared with the overall number of unfilled positions," Manky said. "Part of the solution is to build better technology that requires less human capital to be effective and can evolve to meet shifts in the threat landscape. Additionally, the market needs to better define what skills a cybersecurity professional should hold and use these definitions to focus on efforts that can engage and develop a new generation of cybersecurity talent."

Rob Sadowski, director of marketing at RSA, the Security Division of EMC, said this event might be cause for optimism regarding the cybersecurity skills shortage.

"The experience that DHS shared is encouraging because it shows a groundswell of interest in cybersecurity careers. This interest and enthusiasm needs to continue across the public and private sector if we are to address the still significant gap in cybersecurity talent that is required in today's advanced threat world," Sadowski told SearchSecurity before hedging his bet. "The talent pool in an area such as DC, where many individuals have strong backgrounds in defense or intelligence, security clearances, and public sector agency experience contributes significantly towards building a pool of qualified cybersecurity candidates that may not be present in other parts of the country or the world."

Bailey attributed some of the success of the DHS event to proper planning and preparation.

"Before the event, we carefully evaluated the security clearance requirements for the open positions. We identified many positions that could be performed fully with a 'Secret' rather than a 'Top Secret' clearance to broaden our potential applicant pool," Bailey wrote. "We knew that all too often the security process is where we've lost excellent candidates. By beginning the paperwork at the hiring event, we eliminated one of the more daunting steps and helped the candidates become more invested in the process."

Bailey noted the most important advice in hiring was to not let bureaucracy get in the way.

"The most important lesson learned from our experience is the value of acting collaboratively, quickly, and decisively. My best advice is to just do it," Bailey wrote. "Don't spend your precious time deliberating over potential barriers or complications; stop asking Congress for yet another hiring authority or new personnel system, instead capitalize on the existing rules, regulations and hiring authorities available today."

Sadowski said rapid action is a cornerstone of an effective security program, but noted not all organizations may have that option.

"It's great that DHS has the luxury to act decisively in hiring, especially from what they saw as a large, qualified pool," Sadowski said. "However, many private sector organizations may not have this freedom, where qualified potential hires may require significant commitment, investment, and training so that they understand how security impacts that particular business, and how to best leverage the technology that is in place."

Next Steps

Learn more about how the cybersecurity skills shortage be fixed.

Find out how to live with the cybersecurity skills shortages.

Get info on why there is a delay in adopting new tech because of the skills shortage.


SearchSecurity: Security Wire Daily News

A Trojan targeting US healthcare organizations attempts to avoid detection by going to sleep for prolonged periods after initial infection, security researchers warn.

Symantec estimates that thousands of organizations have been hit by the Gatak Trojan since 2012. The malware is programmed to spread aggressively across an organization’s network once it gets a foothold.

The healthcare sector in particular has been disproportionately targeted – of the top 20 most affected organizations with the highest number of infected computers, 40 per cent were in the healthcare sector, Symantec reports.

Selling healthcare records is a growing trade on cybercrime forums. This could explain the attackers’ heavy focus on the healthcare sector.

Gatak reels in victims through websites promising product licensing keys for pirated enterprise software packages (backup, 3D scanning software, etc). These supposed software license key generators (keygens) actually come packed with malicious code.

The software nasty also spreads to a lesser extent using watering hole attacks (where the instigator infects websites that members of the group are known to visit).

The malware creates a backdoor on compromised machines before stealing information. Hackers are known for leveraging the malware to break into machines on associated networks, probably using weak passwords and poor security in file shares and network drives.

“In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan,” Symantec reports. “In the case of Shylock, these appear to be older versions of the threat and might even be 'false flag' infections.

“They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent,” it adds.

The malware downloads instructions from pre-programmed URLs. These instructions are hidden in image files using steganography, a technique for hiding data within image files. ®

Sponsored: Customer Identity and Access Management


The Register - Security

A zero-day exploit could be used to hack MySQL servers. Credit: Gerd Altmann / Pixabay

A publicly disclosed vulnerability in the MySQL database could allow attackers to completely compromise some servers.

The vulnerability affects "all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions," as well as the MySQL-derived databases MariaDB and Percona DB, according to Dawid Golunski, the researcher who found it.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

The flaw, tracked as CVE-2016-6662, can be exploited to modify the MySQL configuration file (my.cnf) and cause an attacker-controlled library to be executed with root privileges if the MySQL process is started with the mysqld_safe wrapper script.

The exploit can be executed if the attacker has an authenticated connection to the MySQL service, which is common in shared hosting environments, or through an SQL injection flaw, a common type of vulnerability in websites.

Golunski reported the vulnerability to the developers of all three affected database servers, but only MariaDB and Percona DB received patches so far. Oracle, which develops MySQL, was informed on Jul. 29, according to the researcher, but has yet to fix the flaw.

Oracle releases security updates based on a quarterly schedule and the next one is expected in October. However, since the MariaDB and Percona patches are public since the end of August, the researcher decided to release details about the vulnerability Monday so that MySQL admins can take actions to protect their servers.

Golunski's advisory contains a limited proof-of-concept exploit, but some parts have been intentionally left out to prevent widespread abuse. The researcher also reported a second vulnerability to Oracle, CVE-2016-6663, that could further simplify the attack, but he hasn't published details about it yet.

The disclosure of CVE-2016-6662 was met with some criticism on specialized discussion forums, where some users argued that it's actually a privilege escalation vulnerability and not a remote code execution one as described, because an attacker would need some level of access to the database.

"As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use," Golunski said in his advisory. "These are by no means a complete solution and users should apply official vendor patches as soon as they become available."

Oracle didn't immediately respond to a request for comments on the vulnerability.