CISO and board-facing content on auditable, policy-backed execution decisions. Pre-built evidence for NIST, SOC 2, HIPAA, FISMA, and customer or vendor reviews.

Illustration of critical healthcare systems at risk when unauthorized software executes, underscoring the need for Zero Trust for Code and pre-execution control

The Telesurgery Industry Is Flirting With Cyber Criminals

/in /by

When Security is a Question of Life or Death

Readers of a certain age will remember the thrill of a ‘90s chat room — strangers from anywhere suddenly in your living room — but, by now, the wonders of telecom are squarely ordinary: Send messages across the world instantaneously? Check. Stream a live opera in Prague from a studio apartment in Poughkeepsie? Check. Run a business from your bedroom? Check.

But even those of us who are a bit jaded by technological advances have to admit that the idea of telesurgery — surgery performed by a physician using a remote-controlled robot over the Internet — is pretty cool.

And yet, it’s not really new: The first successful telesurgery took place in 2001, when a surgeon in New York removed the gallbladder of his 68-year-old patient in Strasbourg, France. “Operation Lindbergh,” as it came to be known, could have been the triumphant start of a global health innovation — but, in the years since, telesurgery has been hampered by slow advances in robotics and communication networks.

Today, doctors typically use robots to operate on a patient in the same room — and they do so using a secure, hardwired connection. Next-gen robots need to work on open networks — in war zones, at disaster sites, and on-call at other remote locations — but network and connectivity issues have been severely limiting. Until now.

The emergence of 5G has been a game changer for the field: Medical teams have an extremely fast network connection at their disposal — but this major advance brings with it major exposure, and now the threats posed by cyber attacks loom large.

Think about it: Assuming everything else in a procedure goes smoothly — the robot works as designed, the surgeon is confident and well-rested, and local staff are standing by — the network connection is a potential vulnerability. A cybercriminal infiltrating the software could dictate the robot’s movements — a breach with potentially fatal consequences. Incorporating security measures is critical to making telesurgery safe — and to promoting its widespread adoption.

To see just how precarious a telesurgery could be, engineers at the University of Washington (UW) tested an open source teleoperated robot, the Raven II. One group (the “surgeons”) set up the Raven II on a table and directed it to pick up and move blocks around while their colleagues (the “attackers”) used common cyberattack methods to disrupt the process.

The attackers were able to override or alter commands from the surgeons, making it difficult for the robot to perform simple actions like grasping the blocks. They also flooded the Raven II with trash data in a denial-of-service attack, resulting in jerky movements. In a real surgery where precision can mean life or death, this simulation exposed a serious risk factor. Finally, the offensive team triggered the robot’s emergency stop mechanism, halting the simulated surgery altogether.

The best way to guard against such attacks is to only perform a telesurgery across a completely secured private network — which, one could argue, minimizes the value of the invention. To address this, the team at UW is working on using machine learning to authenticate a user — the robot would be able to analyze the user’s interactions and create a unique “operator signature.” Along with human monitoring, we may yet be able to create a safeguard in which a surgery can at least be halted before an attacker can do fatal harm.

For the time being, researchers will continue testing and developing telesurgery until its safety measures are as robust and secure as a local procedure would be. In a world where everyone and everything is connected, technology advances are only as valuable as they are secure.

Financial services risk illustration highlighting why banks should move beyond 2FA and enforce Zero Trust controls over software execution

Post-Pandemic Banks Should Be Ready to Dump Two-Factor Authentication

/in /by

What’s the Next Best Cybersecurity Innovation For Banks?

Use of TFA (two-factor authentication) goes back to the 1980s, when a key fob generated a numerical code for users to append to their passwords. The evolution of this method worked well for the better part of four decades — outlasting other ’80s innovations like two-pound cellular phones and Members Only jackets — but it’s past time to change the locks on digital defenses, particularly for banks.

This is not to say that all 2FAs are useless — and, since banks are required to use 2FA technology, we’re not suggesting they go completely rogue. The idea behind 2FA isn’t bad — the problem is in its execution. As there’s no digital leash tying the authenticator to the device, hardware tokens are still a viable way to protect access to critical data and systems. The problem is that many 2FAs aren’t using hardware. Even using an authentication app on a phone creates potential avenues for vulnerability, from email phishing to flaws in software features.

Cybersecurity has become too complex since the days of Walkmans and leg warmers for a security system to run on a “set it and forget it” mentality. Constant innovation is a must. The hard truth is SMS-based 2FAs are increasingly easier to hack, leaving millions of bank accounts vulnerable to cybercriminals waiting to pluck their PII — personally identifiable information.

Post-Pandemic Banks CodeHunter | Blog | Should Be Ready to Dump Two-Factor Authentication

The Nokia 2021 Threat Intelligence Report notes the increased risk of banking malware threats. Cyber criminals often start with a trojan to snatch one-time passwords with captured keystrokes or overlaying bank login screens. From there, they let themselves into the victim’s mobile bank account. These kinds of malware attacks have been most successful on Android devices because of their open-source code and ubiquity. That’s not to say that Apple’s iOS is fundamentally more secure — if there’s a weakness in any OS, persistent black hats will find it.

Even if a bank account owner is vigilant — protective software, regular OS updates, and a keen eye for phishing emails — there’s the matter of information in transit. Cybercriminals exploited a weakness in Signalling System No. 7 (also known as SS7), a telephony signaling language that allows text messages and phone calls to travel across the globe uninterrupted. Using SS7 to redirect text messages containing one-time passwords from their banks in order to access the accounts, hackers were able to bypass mobile bank 2FAs meant to protect users against unauthorized withdrawals. They then used mobile transaction authentication numbers (mTANs) to drain them. It’s shockingly easy to steal money these days.

While 2FA has its benefits — and it’s certainly better than no protection at all — the inherent problem is that it adds layers of security that can be circumvented once a device is compromised. Banks are under pressure to replace 2FAs with other methods such as adaptive authentication. This method evaluates a user’s login attempt and assigns a risk score based on the device, its location, the user’s role, or any other parameters security personnel set. If the attempt is considered medium risk, the user might be asked to verify certain credentials. If considered high risk, their access can be blocked. Because this process requires machine learning, its algorithms are never static; each user’s behavior, location, IP address, and more are monitored and recorded to proactively detect fraudulent access before it even shows up at the door.

Protecting the assets of a bank’s account holders should be a financial institution’s top priority, and in today’s digital frontier, that means staying multiple steps ahead of cybercriminals.

Executive decision-making visual illustrating cyber war gaming to understand software risk and enforce Zero Trust for Code before execution

Why Executives Should Play Cyber War Games

/in /by

 Make Sure You’re Prepared For Cyber Attacks

Just as the military uses simulated environments to prepare troops, forward-thinking cybersecurity teams stage mock security breaches to ensure they’re prepared for cyber attacks. Companies like Boeing, Lockheed Martin, and Raytheon Technologies use cyber war games as part of their security arsenal — a proactive measure to safeguard their data and their business.

As your business grows, so will the number of attacks you face. You know the adage: Cyberattacks are so common that it’s not a matter of whether a business will fall prey to one, but when. Here are our top five reasons why you should conduct cyber war games at your company.

1. Stand ready.

Cyber war games ensure your security professionals and extended team are ready for anything. Your proprietary data can be swaddled in encryptions and accessible only by a 2FA token, retina scan, and voice-activated password, but unless your company’s cybersecurity is constantly evolving, it’s only a matter of time before it’s breached. By participating in war games, tech professionals learn to think like an adversary and identify weaknesses in their own defenses before hackers can.

2. Learn the ways of your adversaries to defend your environment.

Cyber war games go beyond penetration testing in search of vulnerabilities — unsecured network ports, data in transit, and externally facing programs sharing too much information. Modeled after real-life hacking techniques, from phishing to cross-site scripting, they’re designed to test even the most savvy security team’s agility and decision-making skills. Furthermore, it helps the security team better understand each angle of an attack, anticipate new ones, and rapidly devise go-to countermeasures. NATO’s yearly cyber war game, Locked Shields, imagines a fictional country on the defensive. Targets may include anything from the civilian to the military — think water treatment facilities, energy plants, and military installations— and the rules, based on actual law, force participants to navigate the legal repercussions of their actions. Put into this context, it’s easier to see yourself as the protector of sensitive systems and information.

3. Know the risks of being ill-prepared.

Attacks have consequences. A data breach can cost millions of dollars, lose client trust and business, and lead to legal repercussions. If protected personal information (PPI) is stolen, organizations may face not only government fines but also legal action such as class action lawsuits — not to mention the gauntlet of public ridicule. Social media platforms have certainly taken heat this year: Facebook alone suffered a breach that exposed 533 million users’ information and is now facing potentially billions of dollars in lawsuits — and that’s on top of the PR nightmare.

4. Improve security culture.

If a security team is in the habit of setting and forgetting defensive measures, they’re leaving their company exposed to collapse under cyberattacks. The best defense against ever-evolving attacks is practice, and what better way to practice than to play against one another? As in chess, the player with the stronger and more flexible tactics will emerge the victor — and the entire team will learn from it.

5. Develop strategies to survive the next attack.

Many companies will struggle to survive a cyberattack. Part of a cyber war game should include fail safes and backup plans. What happens if the enemy does breach the gates? A war game inspires players to contrive system resets, automatic updates and data backups, and countless other ways to mitigate the potential effects of a cyberattack. Damage control is just as important as defense in surviving an attack.

Practicing how to defend against cyber attacks is an increasingly complex part of company security; wargaming keeps a security team’s minds open, reactions on-point, and strategies creative — and, most importantly, one step ahead.