CISO and board-facing content on auditable, policy-backed execution decisions. Pre-built evidence for NIST, SOC 2, HIPAA, FISMA, and customer or vendor reviews.

Illustration highlighting FIN12 ransomware tactics and the operational risk they pose to hospital CISOs responsible for protecting clinical systems

The Nauseating Truth About FIN12 for Hospital CISOs

/in , /by

FIN12’s Ruthless Tactics Put Lives at Risk

FIN12 is an aggressive, ransomware-focused cybercrime group that specializes in targeted attacks on the healthcare sector. While many cybercrime groups will avoid hospitals, nursing homes, and 911 services — FIN12 has no reluctance.

Since 2018, FIN12 has actively targeted a range of businesses — making the group one of the most notorious big game hunters in cybercrime. Nearly 20% of their victims are in healthcare; 85% are in North America; and all boast revenues of at least $300 million. With no sign of remorse or morals, FIN12 stands in stark contrast to other cybercriminals: DoppelPaymer and Maze claim that they provide free decryption keys if they accidentally target a vulnerable group. FIN12 deliberately seeks them out.

A New Challenge For Hospital CISOs

No sector is safe from this group’s reach (they have also attacked government websites, schools, universities, and local municipalities), but their ruthless tactics pose a huge threat to healthcare. CISOs have to strategize for FIN12’s attacks — especially if long-distance treatments like telesurgery become more prominent, which will raise the stakes astronomically.

FIN12’s Brutal Methods

FIN12’s single-minded focus on ransomware deployment sets them apart. Their methods are ruthless — and brutally quick. By developing close partnerships with other threat actors who have already gained access to a victim’s network, FIN12 can creep in undetected and quickly deploy debilitating ransomware. Then, when access is securely locked down, they request a single large payout in Bitcoin. Their time-to-ransom (TTR) is incredibly short — the attack and payout all occur in 2 to 3 days.

To make their attacks more complex, FIN12 often overlaps toolsets and services to include backdoors, droppers, and codesigning certificates. The rise of remote work and relaxed home cybersecurity has made it easier for them to access remote logins — paving the way for their attacks.

A Reason to Pay Ransom

FIN12 is in it for the money — not for the data. Since they solely encrypt or block access to data instead of exfiltrating it, there’s an incentive for hospitals to pay up, get systems running, and save lives. Without the threat of corrupted data or exposed personal identifiable information (PII), their victims have reason to believe that they won’t be extorted or left behind without restored access. Additionally, FIN12 has a reputation for taking payment and moving on — another reason used to justify random payments.

A Stronger Defense

Along with updating security processes, procedures, and systems — the no-brainer basics — educating healthcare personnel on cyber security best practices helps prevent attackers like FIN12 from gaining a foothold. In most cases, mismanaged credentials and privileges lead to a breach: Many successful attacks began with a mere phishing email.

Enacting safety standards such as prohibiting personal use of company devices, using multi-factor or adaptive authentication, and keeping OS and antivirus software up to date can go a long way in preventing threats from getting in.

Financial services breach response visual emphasizing executive decision-making and the need for Zero Trust controls over software execution

Call the Feds! What Bank CISOs Need to Do After a Data Breach

/in /by

Mitigate Damage: The 4 Critical Steps For a Bank CISO’s Response

Financial institutions are one of the most vulnerable targets for cyberattacks — and today’s Bonnies and Clydes are after more than just cash. Social security numbers, credit card accounts, and sensitive financial data are all up for grabs when a bank is breached, creating perfect conditions for costly and time-consuming cyber nightmares — for clients and institutions alike.

Having a playbook in place in the event of a breach can help your financial institution avoid costly fines, reputational damage, and future attacks. Below are four critical steps CISOs in financial institutions need to take after a data breach.

Step 1: Know the Rules

Under the Gramm-Leach-Bliley (GLB) Act, financial institutions are legally required to ensure that their client’s details are safe and confidential: They must have a written plan that outlines how they protect customer data; use service providers with security safeguards in place; train their employees on cyber security best practices; and work with law enforcement in the event of a breach.

Sounds simple enough, but each state has its own set of rules and regulations for working with local and federal law enforcement when sensitive data is compromised. CISOs need to make sure they understand the scope of their responsibilities — as well as their power of authority — and be fluent in local legal requirements when devising their company’s own plan.

Step 2: Contact the Proper Authorities

It might seem easier to quietly pay off cybercriminals rather than deal with an embarrassing public fallout and sky-high fines. While that may be true, it is a spectacularly bad idea. The best practice is to follow protocol and alert the authorities, immediately.

Not convinced? Let’s entertain the idea of an institution responding to ransomware by quietly slipping Bitcoins to cybercriminals as payment. Bypassing lengthy investigations and the disruption of daily activities — not to mention neatly sidestepping loss of trust from customers and clients if the attack is exposed — may sound appealing, but the fallout could be worse than the breach itself. There’s no guarantee that the attackers would hold true to their word and relinquish control, or that they wouldn’t abuse the data to which they’d gained access. There is also zero guarantee that the group wouldn’t make their actions known — either by simply announcing it or by broadcasting the very data they stole. Just ask Joe Sullivan, former CISO at Uber, who faced charges from the FBI after taking matters into his own hands and paying a ransom.

Step 3: Own Up and Alert Your Customers

The fear of shouldering the blame for a breach is understandable, especially when 23% of companies report executive firings following cyberattacks. Banks are burdened with safeguarding their customers’ finances and their personal identifiable information, making a breach a particularly nasty pill to swallow. However, a careful and methodical response can help to protect and retrieve clients’ information — and help institutions save face.

In April of 2021, the Bank of Oak Ridge in North Carolina reported a data breach affecting an undisclosed number of accounts. Social Security numbers, bank account numbers, and driver’s license numbers were exposed.

In response, the bank closed all five of its branches for two days while the FBI assisted with the investigation. When they determined who was likely affected, the bank alerted its customers and offered free identity protection. By reporting the incident quickly, following protocol, and communicating with transparency, the bank dodged legal fines — and remained in business.

Never heard of this incident? Exactly.

Step 4: Conduct a Critical Vulnerability Scan

Bad things happen to even the best IT teams, but there’s no excuse for being hacked or attacked in the same way twice. Below are high-level practices all organizations should adopt in the aftermath of — and well before — an attack.

  • Prioritize security from the top down. For security measures to be effective, executive level buy-in is a must. It’s on CISOs and other C-suite execs to make cybersecurity and awareness a core part of organizational culture.

  • Know your risk profile. Clearly identifying your industry’s attack vectors, gaming out different cyberattack scenarios, and being aligned on your organization’s most valuable assets — and how to protect them — is crucial to creating and executing effective cyber security initiatives.

  • Take threats seriously. Prepare for the worst. Seriously. (Read more: Why Executives Should Play Cyber War Games)

  • Enforce your policies. Security policies should be baked into day-to-day operations — and outlined in terms that all employees (not just tech geeks) can understand. Document everything, automate whenever possible, and keep things simple.

  • Back it up. Data loss can be a death blow to an organization — many never fully recover. Keep a copy of critical data in a secure offsite location and regularly test your backups.

  • Keep up with security patches. Sounds like a no-brainer, but regularly applying legitimate security patches to software and hardware systems is often overlooked. Are there examples where a security patch created a vulnerability? A couple. Are there examples where the lack of a patch created a huge problem? A couple thousand.

If a bank wants to mitigate the damages from a cyberattack and maintain its customers’ trust, the CISO should get to know the applicable local and federal laws, create a plan, and communicate any data breaches without fail. An attack is all but inevitable, but how an institution reacts determines whether it will recover and move on, or keep on taking hits even after the ransom is paid.

Illustration of critical healthcare systems at risk when unauthorized software executes, underscoring the need for Zero Trust for Code and pre-execution control

The Telesurgery Industry Is Flirting With Cyber Criminals

/in /by

When Security is a Question of Life or Death

Readers of a certain age will remember the thrill of a ‘90s chat room — strangers from anywhere suddenly in your living room — but, by now, the wonders of telecom are squarely ordinary: Send messages across the world instantaneously? Check. Stream a live opera in Prague from a studio apartment in Poughkeepsie? Check. Run a business from your bedroom? Check.

But even those of us who are a bit jaded by technological advances have to admit that the idea of telesurgery — surgery performed by a physician using a remote-controlled robot over the Internet — is pretty cool.

And yet, it’s not really new: The first successful telesurgery took place in 2001, when a surgeon in New York removed the gallbladder of his 68-year-old patient in Strasbourg, France. “Operation Lindbergh,” as it came to be known, could have been the triumphant start of a global health innovation — but, in the years since, telesurgery has been hampered by slow advances in robotics and communication networks.

Today, doctors typically use robots to operate on a patient in the same room — and they do so using a secure, hardwired connection. Next-gen robots need to work on open networks — in war zones, at disaster sites, and on-call at other remote locations — but network and connectivity issues have been severely limiting. Until now.

The emergence of 5G has been a game changer for the field: Medical teams have an extremely fast network connection at their disposal — but this major advance brings with it major exposure, and now the threats posed by cyber attacks loom large.

Think about it: Assuming everything else in a procedure goes smoothly — the robot works as designed, the surgeon is confident and well-rested, and local staff are standing by — the network connection is a potential vulnerability. A cybercriminal infiltrating the software could dictate the robot’s movements — a breach with potentially fatal consequences. Incorporating security measures is critical to making telesurgery safe — and to promoting its widespread adoption.

To see just how precarious a telesurgery could be, engineers at the University of Washington (UW) tested an open source teleoperated robot, the Raven II. One group (the “surgeons”) set up the Raven II on a table and directed it to pick up and move blocks around while their colleagues (the “attackers”) used common cyberattack methods to disrupt the process.

The attackers were able to override or alter commands from the surgeons, making it difficult for the robot to perform simple actions like grasping the blocks. They also flooded the Raven II with trash data in a denial-of-service attack, resulting in jerky movements. In a real surgery where precision can mean life or death, this simulation exposed a serious risk factor. Finally, the offensive team triggered the robot’s emergency stop mechanism, halting the simulated surgery altogether.

The best way to guard against such attacks is to only perform a telesurgery across a completely secured private network — which, one could argue, minimizes the value of the invention. To address this, the team at UW is working on using machine learning to authenticate a user — the robot would be able to analyze the user’s interactions and create a unique “operator signature.” Along with human monitoring, we may yet be able to create a safeguard in which a surgery can at least be halted before an attacker can do fatal harm.

For the time being, researchers will continue testing and developing telesurgery until its safety measures are as robust and secure as a local procedure would be. In a world where everyone and everything is connected, technology advances are only as valuable as they are secure.

Financial services risk illustration highlighting why banks should move beyond 2FA and enforce Zero Trust controls over software execution

Post-Pandemic Banks Should Be Ready to Dump Two-Factor Authentication

/in /by

What’s the Next Best Cybersecurity Innovation For Banks?

Use of TFA (two-factor authentication) goes back to the 1980s, when a key fob generated a numerical code for users to append to their passwords. The evolution of this method worked well for the better part of four decades — outlasting other ’80s innovations like two-pound cellular phones and Members Only jackets — but it’s past time to change the locks on digital defenses, particularly for banks.

This is not to say that all 2FAs are useless — and, since banks are required to use 2FA technology, we’re not suggesting they go completely rogue. The idea behind 2FA isn’t bad — the problem is in its execution. As there’s no digital leash tying the authenticator to the device, hardware tokens are still a viable way to protect access to critical data and systems. The problem is that many 2FAs aren’t using hardware. Even using an authentication app on a phone creates potential avenues for vulnerability, from email phishing to flaws in software features.

Cybersecurity has become too complex since the days of Walkmans and leg warmers for a security system to run on a “set it and forget it” mentality. Constant innovation is a must. The hard truth is SMS-based 2FAs are increasingly easier to hack, leaving millions of bank accounts vulnerable to cybercriminals waiting to pluck their PII — personally identifiable information.

Post-Pandemic Banks CodeHunter | Blog | Should Be Ready to Dump Two-Factor Authentication

The Nokia 2021 Threat Intelligence Report notes the increased risk of banking malware threats. Cyber criminals often start with a trojan to snatch one-time passwords with captured keystrokes or overlaying bank login screens. From there, they let themselves into the victim’s mobile bank account. These kinds of malware attacks have been most successful on Android devices because of their open-source code and ubiquity. That’s not to say that Apple’s iOS is fundamentally more secure — if there’s a weakness in any OS, persistent black hats will find it.

Even if a bank account owner is vigilant — protective software, regular OS updates, and a keen eye for phishing emails — there’s the matter of information in transit. Cybercriminals exploited a weakness in Signalling System No. 7 (also known as SS7), a telephony signaling language that allows text messages and phone calls to travel across the globe uninterrupted. Using SS7 to redirect text messages containing one-time passwords from their banks in order to access the accounts, hackers were able to bypass mobile bank 2FAs meant to protect users against unauthorized withdrawals. They then used mobile transaction authentication numbers (mTANs) to drain them. It’s shockingly easy to steal money these days.

While 2FA has its benefits — and it’s certainly better than no protection at all — the inherent problem is that it adds layers of security that can be circumvented once a device is compromised. Banks are under pressure to replace 2FAs with other methods such as adaptive authentication. This method evaluates a user’s login attempt and assigns a risk score based on the device, its location, the user’s role, or any other parameters security personnel set. If the attempt is considered medium risk, the user might be asked to verify certain credentials. If considered high risk, their access can be blocked. Because this process requires machine learning, its algorithms are never static; each user’s behavior, location, IP address, and more are monitored and recorded to proactively detect fraudulent access before it even shows up at the door.

Protecting the assets of a bank’s account holders should be a financial institution’s top priority, and in today’s digital frontier, that means staying multiple steps ahead of cybercriminals.

Executive decision-making visual illustrating cyber war gaming to understand software risk and enforce Zero Trust for Code before execution

Why Executives Should Play Cyber War Games

/in /by

 Make Sure You’re Prepared For Cyber Attacks

Just as the military uses simulated environments to prepare troops, forward-thinking cybersecurity teams stage mock security breaches to ensure they’re prepared for cyber attacks. Companies like Boeing, Lockheed Martin, and Raytheon Technologies use cyber war games as part of their security arsenal — a proactive measure to safeguard their data and their business.

As your business grows, so will the number of attacks you face. You know the adage: Cyberattacks are so common that it’s not a matter of whether a business will fall prey to one, but when. Here are our top five reasons why you should conduct cyber war games at your company.

1. Stand ready.

Cyber war games ensure your security professionals and extended team are ready for anything. Your proprietary data can be swaddled in encryptions and accessible only by a 2FA token, retina scan, and voice-activated password, but unless your company’s cybersecurity is constantly evolving, it’s only a matter of time before it’s breached. By participating in war games, tech professionals learn to think like an adversary and identify weaknesses in their own defenses before hackers can.

2. Learn the ways of your adversaries to defend your environment.

Cyber war games go beyond penetration testing in search of vulnerabilities — unsecured network ports, data in transit, and externally facing programs sharing too much information. Modeled after real-life hacking techniques, from phishing to cross-site scripting, they’re designed to test even the most savvy security team’s agility and decision-making skills. Furthermore, it helps the security team better understand each angle of an attack, anticipate new ones, and rapidly devise go-to countermeasures. NATO’s yearly cyber war game, Locked Shields, imagines a fictional country on the defensive. Targets may include anything from the civilian to the military — think water treatment facilities, energy plants, and military installations— and the rules, based on actual law, force participants to navigate the legal repercussions of their actions. Put into this context, it’s easier to see yourself as the protector of sensitive systems and information.

3. Know the risks of being ill-prepared.

Attacks have consequences. A data breach can cost millions of dollars, lose client trust and business, and lead to legal repercussions. If protected personal information (PPI) is stolen, organizations may face not only government fines but also legal action such as class action lawsuits — not to mention the gauntlet of public ridicule. Social media platforms have certainly taken heat this year: Facebook alone suffered a breach that exposed 533 million users’ information and is now facing potentially billions of dollars in lawsuits — and that’s on top of the PR nightmare.

4. Improve security culture.

If a security team is in the habit of setting and forgetting defensive measures, they’re leaving their company exposed to collapse under cyberattacks. The best defense against ever-evolving attacks is practice, and what better way to practice than to play against one another? As in chess, the player with the stronger and more flexible tactics will emerge the victor — and the entire team will learn from it.

5. Develop strategies to survive the next attack.

Many companies will struggle to survive a cyberattack. Part of a cyber war game should include fail safes and backup plans. What happens if the enemy does breach the gates? A war game inspires players to contrive system resets, automatic updates and data backups, and countless other ways to mitigate the potential effects of a cyberattack. Damage control is just as important as defense in surviving an attack.

Practicing how to defend against cyber attacks is an increasingly complex part of company security; wargaming keeps a security team’s minds open, reactions on-point, and strategies creative — and, most importantly, one step ahead.