Hacking the hospital: medical devices have terrible default security

Hacking the hospital: medical devices have terrible default security

4/27/14 Boing Boing by Cory Doctorow 

Scott Erven is head of information security for a healthcare provider called Essentia Health, and his Friday presentation at Chicago's Thotcon, "Just What The Doctor Ordered?" is a terrifying tour through the disastrous state of medical device security.
Wired's Kim Zetter summarizes Erven's research, which ranges from the security of implanted insulin pumps and defibrillators to surgical robots and MRIs. Erven and his team discovered that hospitals are full of fundamentally insecure devices, and that these insecurities are not the result of obscure bugs buried deep in their codebase (as was the case with the disastrous Heartbleed vulnerability), but rather these are incredibly stupid, incredibly easy to discover mistakes, such as hardcoded easy default passwords. For example: surgical robots have their own internal firewall. If you run a vulnerability scanner against that firewall, it just crashes, and leaves the robot wide open.
The backups for image repositories for X-rays and other scanning equipment have no passwords. Drug-pumps can be reprogrammed over the Internet with ease. Defibrillators can be made to deliver shocks -- or to withhold them when needed. Doctors' instructions to administer therapies can be intercepted and replayed, adding them to other patients' records. You can turn off the blood fridge, crash life-support equipment and reset it to factory defaults. The devices themselves are all available on the whole hospital network, so once you compromise an employee's laptop with a trojan, you can roam free. You can change CT scanner parameters and cause them to over-irradiate patients.
The one bright spot is that anaesthesia and ventilators are not generally networked and are more secure.

Some of the most disturbing problems they found involved infusion pumps, ICDs (implantable cardiovascular defibrillators that deliver shocks to a patient who shows signs of going into cardiac arrest) and CT scans. They found a number of infusion pumps that have a web administration interface for nurses to change drug dosage levels from their workstations. Some of the systems are not password-protected, while others have hardcoded passwords that are weak and universal to all customers.
With the CT scan, they could alter configuration files and change radiation exposure limits that set the amount of radiation patients receive.
Though targeted attacks would be difficult to pull off in most cases they examined, since hackers would need to have additional knowledge about the systems and the patients hooked up to them, Erven says random attacks causing collateral damage would be fairly easy to pull off.
That’s not the case with implantable defibrillators, however, which could be targeted.
“We found a couple of defibrillator vendors that use a Bluetooth stack for writing configurations and doing test shocks [against the patient] when they’re implanted or after surgery,” he says. “They have default and weak passwords to the Bluetooth stack so you can connect to the devices. It’s a simple password like an iPhone PIN that you could guess very quickly.”
It’s Insanely Easy to Hack Hospital Equipment [Kim Zetter/Wired]
(Image: A Sailor simulates the computed tomography head scanner., US Navy/CC-BY) 

Video: Ars talks to the experts on Atari’s dump at yesterday’s big dig

4/27/14 Ars Technica by Megan Geuss

Microsoft

ALAMOGORDO, NM—When a film crew, a dig crew, and dozens of fans and journalists showed up at a decades-old desert landfill in New Mexico on Saturday, no one was certain what to expect. The crowd was hoping to confirm a story that made its way into gaming legend: that Atari dumped thousands, perhaps millions, of E.T. (and perhaps other) cartridges in this particular landfill back in 1983 at the height of the Video Game Crash.
While the excavation crew was digging down into the 1983 layer of the landfill, Ars got a chance to talk to E.T. programmer Howard Scott Warshaw, who was milling about, talking to fans and press. Warshaw famously claimed that the legend of E.T. cartridge burials was fake. Today, he's a licensed psychotherapist in California and says he aims to help people in high-tech circles work through their problems.
Perhaps that big-picture view of the industry is what helps him put the legends of E.T. into perspective. "It would be pretty to think that E.T. really was the downfall of the industry and that I, as a programmer, over the course of five weeks, was able to topple a billion-dollar industry. But I also have a degree in economics," Warshaw told Ars yesterday.

Read 9 remaining paragraphs | Comments

Microsoft Warns of Attacks on IE Zero-Day

4/27/14 Krebs on Security by BrianKrebs

Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site.
In an alert posted on Saturday, Microsoft said it is aware of  “limited, targeted attacks” against the vulnerability (CVE-2014-1776) so far.
Microsoft’s security advisory credits security firm FireEye with discovering the attack. Inits own advisory, FireEye says the exploit currently is targeting IE9 through IE11 (although the weakness also is present in all earlier versions of IE going back to IE6), and that it leverages a well-known Flash exploitation technique to bypass security protections on Windows.
Microsoft has not yet issued a stopgap “Fix-It” solution for this vulnerability. For now, it is urging IE users to download and install itsEnhanced Mitigation Experience Toolkit(EMET), a free tool that can help beef up security on Windows. Microsoft notes that EMET 3.0 doesn’t mitigate this attack, and that affected users should instead rely on EMET 4.1. I’ve reviewed the basics of EMEThere. The latest versions of EMET are available here.
According to information shared by FireEye, the exploit also can be blocked by running Internet Explorer in “Enhanced Protected Mode” configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings as shown in the graphic above.
This is the first of many zero-day attacks and vulnerabilities that will never be fixed for Windows XP users. Microsoft last month shipped its final set of updates for XP. Unfortunately, many of the exploit mitigation techniques that EMET brings do not work in XP.

Atari landfill in New Mexico to be dug up on Saturday; Ars will be on scene

One reporter stares into the hellmouth of the 1983 video game crash.

by Megan Geuss - Apr 22 2014, 4:20pm EDT

Xbox Entertainment Studios

The site in Alamogordo, New Mexico, where Atari is rumored to have buried some 3.5 million copies of the video game cartridge E.T. the Extra-Terrestrial is set to be dug up this Saturday.

Never wanting to miss an excavation, we've packed our bags, cashed in our frequent flyer miles, and booked our budget motel room to be on the scene when whatever is down there is dredged up—be it hunks of plastic housing and cartridge chips or distilled evil sent to us by a superior alien race and hidden by the ghost warriors employed by Atari, which was really a front for a supernatural crime-fighting ring all along.

Fuel Entertainment Studios secured the rights to dig up the landfill with the help of local garbage contractor Joe Lewandowski, who told a TV news station that he witnessed the Atari dump in question back in 1983. Fuel then asked Microsoft's Xbox Entertainment Studios to help it make a documentary on Atari, which will be directed by Simon Chinn and produced by Jonathan Chinn.

The city of Alamogordo just recently gave the OK for the dig to proceed.

So what's the likelihood that we'll find something down there once the cement poured over the landfill has been removed and the pit is dug up? Several prominent Atari employees have denied that millions of E.T. games were buried at Alamogordo, but it seems certain that anywhere from nine to 20 trucks dumped parts from an Atari factory in nearby El Paso, Texas, into the New Mexico landfill in 1983. Still, whether those parts are intact cartridges or just cruft from a factory in transition is a mystery until we see them.

This weekend, former Atari employee and E.T. programmer Howard Scott Warshaw will be on the scene, along with a number of Hollywood-types who will be filming the dig and a team of archaeologists who will sift through whatever the dig contractors find down there. Fans are invited to come down as well, so if you live in the area, drop by and say hi!

In any case, we'll be there to bring you pictures and stories of the unfolding mystery.

3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

Krebs on Security by BrianKrebs

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.
The disclosure, made jointly in a press releaseposted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.
The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.
“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.
The Michaels breach first came to light just weeks after retail giant Target Corp. said thatcyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.
According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.
The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”
“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”
Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.
“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.”
This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.
Michaels says that while the Company has received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services through AllClear ID to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. Details of the services and additional information related to the ongoing investigation are available on the Michaels and Aaron Brothers websites at www.michaels.com and www.aaronbrothers.com.
Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.
As I noted in a recent story about the credit monitoring industry, the offering of these services has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud). For more information about the limitations of credit monitoring services and more proactive steps that you can take to better protect your identity and credit file, check out this story.

How Heartbleed transformed HTTPS security into the stuff of absurdist theater

Certificate revocation checking in browsers is "useless," crypto guru warns.

by Dan Goodin - Apr 21 2014, 6:44pm EDT

• HACKING

42

Aurich Lawson / Thinkstock

If you want to protect yourself against the 500,000 or so HTTPS certificates that may have been compromised by the catastrophic Heartbleed bug, don't count on the revocation mechanism built-in to your browser. It doesn't do what its creators designed it to do, and switching it on makes you no more secure than leaving it off, one of the Internet's most respected cryptography engineers said over the weekend.

FURTHER READING

PRIVATE CRYPTO KEYS AREACCESSIBLE TO HEARTBLEED HACKERS, NEW DATA SHOWS

Four people have been able to see server keys and certificates in a test.

For years, people have characterized the ineffectiveness of the online certificate status protocol (OCSP) as Exhibit A in the case that the Internet's secure sockets layer and transport layer security (TLS) protocols are hopelessly broken. Until now, no one paid much attention. Thedisclosure two weeks ago of the so-called Heartbleed bug in the widely-used OpenSSL cryptography library has since transformed the critical shortcoming into a major problem, the stuff of absurdist theater. Security experts admonish administrators of all previously vulnerable websites torevoke and reissue TLS certificates, even as they warn that revocation checks in browsers do little to make end users safer and could indeed weaken the security and reliability of the Internet if they were made more effective.

Certificate revocation is the process of a browser or other application performing an online lookup to confirm that a TLS certificate hasn't been revoked. The futility of certificate revocation was most recently discussed in a blog post published Saturday by Adam Langley, an engineer who was writing on his own behalf but who also handles important cryptography and security issues at Google. In the post, Langley recites a litany of technical considerations that have long prevented real-time online certificate revocations from thwarting attackers armed with compromised certificates, even when the digital credentials have been recalled. Some of the considerations include:

• Attacks that use compromised or fraudulently issued TLS certificates more often than not are premised on the hacker's ability to intercept traffic passing between the target and the open Internet. This capability means attackers can simply spoof the OCSP response to show it is valid, even though the real OCSP server, if the victim could reach it, would report it as revoked.
• Even in cases of domain name system hijacking and other hacks that allow attackers to intercept only traffic from a specific site, attackers can often cache thwart OCSP by saving a valid response issued earlier for the targeted website and presenting it along with a compromised certificate. What's more, if attackers have hijacked a website, there's a good chance they can use that control to trick a recognized certificate authority into issuing a TLS certificate for it.
• Most crucially, virtually all websites and browser makers prefer certificate revocations to work with what security engineers call a soft error, or "soft fail", rather than a "hard fail." A soft fail permits an HTTPS connection to be established even if the OCSP server isn't currently available to confirm a certificate's validity, whereas a hard fail would reject the connection. The reason for the soft fail default is that the Internet isn't reliable enough to guarantee OCSP servers are always available. If end users visiting PayPal, Amazon, or countless other websites get hung up waiting for OCSP checks, frustration on an unprecedented scale would almost certainly ensue. What's more, switching to a hard fail mechanism would give miscreants waging denial of service attacks a potent new weapon for taking down huge swaths of the Internet. Rather than overwhelm the sites themselves, the attackers would only need to target the much smaller pool of OCSP servers that validate the sites' certificates.

"That's why I claim that revocation checking is useless—because it doesn't stop attacks," Langley wrote. "Turning it on does nothing but slow things down. You can tell when something is security theater because you need some absurdly specific situation in order for it to be useful."

Langley's blog post helps explain why Google Chrome by default doesn't have online revocation enabled. In the aftermath of Heartbleed, many people have counseled turning it on. That's because the OpenSSL bug allows attackers to pluck passwords, authentication cookies, and even private encryption keys out of the computer memory of vulnerable servers. In many cases, there is no way to know if the two-year-old flaw has been exploited. As a result, security experts have counseled people administering vulnerable websites to assume the key bound to their old TLS certificate is compromised. That has meant getting a new certificate and revoking the old one.

Online certificate checking is the mechanism many have assumed would prevent end users from trusting revoked credentials. Certificate revocation by sites remains a good idea, but in light of this weekend's post, end users shouldn't assume OCSP will do much to flag old compromised keys that may be presented by attackers.

FURTHER READING

SSL FIX FLAGS FORGED CERTIFICATES BEFORE THEY’RE ACCEPTED BY BROWSERS

An IETF proposal hopes to mend cracks in the Internet's foundation of trust.

Langley said as an alternative to online revocation checking, Chrome developers instead compile daily lists of revocation for high-value sites and deliver the certificate revocation list to end users as a normal browser update. This CRLSet, as it's called at Google, is useful for containing damage resulting from hacks such as the 2011 compromise of Dutch certificate authority Diginotar, which allowed attackers to mint fraudulent TLS credentials for Google and a relatively small number of other high-value sites. Alas, CRLSet will do little or nothing to protect users against the huge number of certificates potentially compromised by Heartbleed. Web services firm Netcraft estimates the figure could affect as many as 500,000 certificates.

The Heartbleed debacle is by no means the first event to underscore the inadequacy of current TLS revocation. A variety of researchers have proposed alternatives. One such fix, devised by cryptography experts Moxie Marlinspike and Trevor Perrin, is known as TACK. Another one was created by a developer from Red Hat and is dubbed Mutually Endorsing CA Infrastructure. Langley, meanwhile, held out something called OCSP Must Staple.

Those proposals and several others like them have largely languished in inertia. If there's a silver lining to Heartbleed, it may be that it provides the catalyst that the huge number of the world's engineers will need to finally fix one of the Internet's biggest security holes.

PROMOTED COMMENTS

• MrMalthusArs Scholae Palatinae

  jump to post
  dstarfire wrote:

  Umm, hate to break it to the supposed security experts, but "(such-and-such) does nothing against man-in-the-middle attacks" is like saying ski-masks are useless against an avalanche: you're pretty much screwed no matter what you do. If you can't get a trusted communication (at some point) to establish a protected tunnel, you're never going to have a secure connection.

  
  
  I think you missed a key component of this: to attack you with these stolen certificates they'd have to be man in the middling you, so yes, a defense that is trivially vulnerable to man-in-the-middle attacks isn't a whole lot of help.
  726 posts | registered Apr 8, 2006

Active malware campaign steals Apple passwords from jailbroken iPhones

200+ Ars Technica by Dan Goodin 

Sophos

Security researchers have uncovered an active malware campaign in the wild that steals the Apple ID credentials from jailbroken iPhones and iPads.
News of the malware, dubbed "unflod" based on the name of a library that's installed on infected devices, first surfaced late last week on a pair of reddit threads here and here. In the posts, readers reported their jailbroken iOS devices recently started experiencing repeated crashes, often after installing jailbroken-specific customizations known as tweaks that were not a part of the official Cydia market, which acts as an alternative to Apple's App Store.
Since then, security researcher Stefan Esser has performed what's called a static analysis on the binary code that the reddit users isolated on compromised devices. In a blog post reporting the results, he said unflod hooks into the SSLWrite function of an infected device's security framework. It then scans it for strings accompanying the Apple ID and password that's transmitted to Apple servers. When the credentials are found, they're transmitted to attacker-controlled servers.

Read 6 remaining paragraphs | Comments

Fingerprint lock in Samsung Galaxy 5 easily defeated by whitehat hackers

4/15/14 Ars Technica by Dan Goodin 

SRLabs

The heavily marketed fingerprint sensor in Samsung's new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset.
The hack, by researchers at Germany's Security Research Labs, is the latest to show the drawbacks of using fingerprints, iris scans, and other physical characteristics to authenticate an owner's identity to a computing device. While advocates promote biometrics as a safer and easier alternative to passwords, that information is leaked every time a person shops, rides a bus, or eats at a restaurant, giving attackers plenty of opportunity to steal and reuse it. This new exploit comes seven months after a separate team of whitehat hackers bypassed Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.
"We expected we'd be able to spoof the S5's Finger Scanner, but I hoped it would at least be a challenge," Ben Schlabs, a researcher at SRLabs, wrote in an e-mail to Ars. "The S5 Finger Scanner feature offers nothing new except — because of the way it is implemented in this Android device — slightly higher risk than that already posed by previous devices."

Read 7 remaining paragraphs | Comments

Vicious Heartbleed bug bites millions of Android phones, other devices

Ars Technica by Dan Goodin 

Centers for Disease Control and Prevention's Public Health Image Library via Wikipedia

The catastrophic Heartbleed security bug that has already bitten Yahoo Mail, the Canada Revenue Agency, and other public websites also poses a formidable threat to end-user applications and devices, including millions of Android handsets, security researchers warned.
Handsets running version 4.1.1 of Google's mobile operating system are vulnerable to attacks that might pluck passwords, the contents of personal messages, and other private information out of device memory, a company official warned on Friday. Marc Rogers, principal security researcher at Lookout Mobile, a provider of antimalware software for Android phones, said some versions of Android 4.2.2 that have been customized by the carriers or hardware manufacturers have also been found to be susceptible. Rogers said other releases may contain the critical Heartbleed flaw as well. Officials with BlackBerry have warned the company's messenger app for iOS, Mac OS X, Android, and Windowscontains the critical defect and have released an update to correct it.
The good news, according to researchers at security firm Symantec, is that major browsers don't rely on the OpenSSL cryptographic library to implement HTTPS cryptographic protections. That means people using a PC to browse websites should be immune to attacks that allow malicious servers to extract data from an end user's computer memory. Users of smartphones, and possibly those using routers and "Internet of things" appliances, aren't necessarily as safe.

Read 8 remaining paragraphs 

Update: IRS misses XP deadline, will spend $30M to upgrade remaining PCs

Tax collector says it will pay Microsoft 'less than $500,000' for after-retirement XP patches

Gregg Keizer

 

April 11, 2014 (Computerworld)

The U.S. Internal Revenue Service (IRS) acknowledged last week that it missed the April 8 cut-off for Windows XP support and will be paying Microsoft for an extra year of security patches.

But the tax agency disputed an earlier estimate by Computerworld that put the cost of those patches in the millions, saying that it was paying Microsoft "less than $500,000" for the after-retirement support.

Microsoft terminated Windows XP support on Tuesday when it shipped the final public patches for the nearly-13-year-old operating system. Without patches for vulnerabilities discovered in the future, XP systems will be at risk from cyber criminals who hijack the machines and plant malware on them.

During an IRS budget hearing on April 7 before the House Financial Services and General Government subcommittee, the chairman, Rep. Ander Crenshaw (R-Fla.) wondered why the agency had not wrapped up its Windows XP-to-Windows 7 move.

"Now we find out that you've been struggling to come up with $30 million to finish migrating to Windows 7, even though Microsoft announced in 2008 that it would stop supporting Windows XP past 2014," Crenshaw said at the hearing. "I know you probably wish you'd already done that."

According to the IRS, it has approximately 110,000 Windows-powered desktops and notebooks. Of those, 52,000, or about 47%, have been upgraded to Windows 7. The remainder continue to run the now retired XP.

John Koskinen, the commissioner of the IRS, defended the unfinished migration at the hearing, saying that his agency had $300 million worth of IT improvements on hold because of budget issues. One of those was the XP-to-7 migration.

"You're exactly right," Koskinen said of Crenshaw's point that everyone had fair warning of XP's retirement. "It's been some time where people knew Windows XP was going to disappear."

But he stressed that the migration had to continue. "Windows XP will no longer be serviced, so we are very concerned if we don't complete that work we're going to have an unstable environment in terms of security," Koskinen said.

Koskinen concurred with Crenshaw's $30 million figure as the cost for upgrading the IRS's remaining Windows XP systems. The money will be taken from the agency's enforcement budget.

Part of that $30 million will be payment to Microsoft for what the Redmond, Wash., developer calls "Custom Support," a program that provides patches for critical vulnerabilities in a retired operating system.

Earlier this year, analysts said Microsoft had dramatically raised prices for Custom Support, which previously had been capped at $200,000 per customer for the first year. Instead, Microsoft negotiates each contract separately, asking for an average of $200 per PC for the first year of Custom Support, those analysts said.

Using that average -- and the number of PCs the IRS admitted were still running XP --Computerworld estimated that the IRS would pay Microsoft $11.6 million for one year of Custom Support.

Late Friday, however, the IRS disputed that estimate. An agency source said that the IRS was paying Microsoft less than $500,000 for Custom Support on its remaining 58,000 Windows XP PCs, or about $9 each. According to the source, the exact figure will be disclosed at a later date.

The $30 million total will cover not only the Custom Support, but also new PCs when necessary and labor costs to complete the migration.

The IRS isn't the only government agency that has acknowledged paying for post-retirement XP support. The U.K. government, for example, has paid Microsoft more than £5.5 million(approximately $9.2 million) for Windows XP, Office 2003 and Exchange 2003 patches for the next 12 months that will be applied to a much larger number of PCs nationwide.

In a follow-up statement Friday, the IRS said that its XP problem does not extend to the systems that handle tax filings by individuals and companies.

"None of our filing season systems or other major business operating systems for taxpayers use Windows XP," an IRS spokesperson said Friday. "The IRS emphasizes the situation involving Windows will have no impact on taxpayers, including people filing their tax returns in advance of the April 15 deadline."

In other words, the IRS will not let taxpayers use the XP situation as an excuse not to meet Tuesday's filing deadline.

"The IRS ... is working to complete the updates [to Windows 7] by the end of calendar year 2014," the spokesperson added.

The agency, like most businesses and organizations, will face the same situation in less than six years: Microsoft plans to pull the patch plug on Windows 7 in mid-January 2020.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com

Why businesses can’t rely just on the cloud

Tech Page One » IT Security by Michael O'Dwyer
Cloud-based computer systems offer a lot of advantages for businesses. They can reduce costs, free up information technology resources and back up data in a secure but easily recoverable way.

But because the cloud operates entirely via the Internet, it has one major drawback: Businesses can only function if they’re online.

Jennifer Walzer, CEO of BUMI, says it’s critical to select a cloud service provider who specializes in backup and recovery, proactively monitoring your backup environment around the clock.

“The downside to cloud backup is that it is dependent on the availability of an Internet connection, which could be detrimental if data needs to be accessed for a restore,” says Jennifer Walzer, chief executive officer of BUMI, a New York City-based provider of managed online backup and recovery solutions for small to mid-sized businesses.
For that reason, businesses should consider a hybrid strategy where they take advantage of the cloud but also have on-site access to critical data.
‘Ideal backup strategy’
“The key requirements for an ideal backup strategy must integrate a hybrid approach that includes local, on-premise storage or appliances coupled with an off-site cloud solution that supports incremental file backup and archiving,” Walzer says. “Legislative and compliance concerns will also dictate third-party certifications, encryption and rules on how data are stored.”
Cloud backup and recovery services are still essential in case businesses endure fire, floods or other problems.
“The primary [advantage] of cloud backup is the safety and security of having your data replicated and stored in an off-site facility so it is impervious to any on-premise technical glitch, downtime, natural disaster or other outage,” says Walzer.
Cloud solutions also provide tangible benefits to users of portable devices.
“Mobile users can back up their devices without needing to be plugged into the corporate [local area network],” says Mounil Patel, vice president, strategic field engagement atMimecast, a Watertown, Mass.-based provider of cloud-based business solutions.
Recovery takes time
But relying on the Internet alone to run your business has its own risks. If something goes wrong, for example, it may take awhile to recover all your data.
“Remember, restoration time is critical to getting your business back up and running again, so copying gigabytes of data back across your Internet connection may not be as efficient as being able to courier a portable hard disk from a data center,” says Sonia Cuff, owner of Computer Troubleshooters Aspley, a Brisbane, Australia-based company that provides technology advice and support to small businesses.
That’s why it’s good to have local backup in addition to cloud storage.
“Companies with bandwidth constraints may have no choice but to go with an on-premise solution,” says Mimecast’s Patel.
Businesses also need to select the right cloud provider, since some are better than others and companies may have specific needs for security, backup and recovery.
‘Thorough evaluation’
“Before engaging with a cloud solution vendor, organizations must conduct a thorough evaluation of the company they plan to utilize,” says BUMI’s Walzer. “Privacy, financial health, data center security measures and security concerns must be carefully vetted to ensure your data are safeguarded.”
And make sure you chose a cloud provider who can get you back up and running quickly.
“It is a certainty that your data will need to be restored when a failure or outage occurs, so it is critical to select a vendor who specializes in backup and recovery,” says Walzer.
Mimecast’s Patel believes there are several criteria for picking the right provider.
“The most obvious items to look for in a cloud-based solution provider are high service availability service level agreements (SLAs), strong security and access control, scalability and performance, and company stability,” he says.
Another important thing to consider is what happens if you decide to change providers.
The ‘exit clause’
“A less obvious item that is often overlooked is the exit clause,” says Patel. “How do you get your data back if you leave the vendor’s service? The best cloud vendors do not hold their customers’ data hostage as a retention strategy.”
Businesses also should be aware that backing up data is different from synchronizing, which duplicates errors on the original data. A backup is an independent copy taken at predefined schedules.
“Many businesses think that just ‘syncing’ their data to the cloud provides them with an effective backup,” Computer Troubleshooters’ Cuff says.
“The truth is that file synchronization by itself puts your cloud data at risk of corruption,” Cuff adds. “It just takes one virus or malware infection on your computer for your files to become unreadable. And when those file changes upload to the cloud, your backup copy is useless too. Unfortunately we’ve seen this happen on more than one occasion.”
“Ideally, you want to use reputable backup software to manage data copies to the cloud,” she continues. “This way, you’ll have more control over synchronization and versioning of your files.”
Above all, have more than one backup for your important data.
“Your cloud backup should also be just one piece in your disaster recovery strategy, giving you fast access to working files while you arrange for full access to your software backup ‘images’ to restore entire systems,” Cuff says.
The post Why businesses can’t rely just on the cloud appeared first on Tech Page One.

Teaching employees about cybersecurity

How businesses can educate workers about cyber risks and threats

By Jane Irene Kelly - Tech Page One April 10 2014

Today’s cyberthreats are complex and constantly evolving, and all businesses are potential targets. That’s why teaching employees about cybersecurity is becoming a priority for many organizations.
“Anyone in the business — from accounting to sales to senior management — who touches a computer, or interacts with systems on the company’s network, should have some basic cybersecurity education,” says Seth Hanford, manager of the Threat Research, Analysis, and Communications (TRAC) – Outreach team at networking provider, Cisco Systems, Inc. “Cybersecurity is everyone’s problem and responsibility.”

Ernest McDuffie of NIST says management needs to coordinate with the IT department to ensure cybersecurity education is aligned with company goals.

But where do you find someone to teach your employees? First, you have to determine what kind of security your business needs, says Ernest McDuffie, Ph.D., lead of the National Initiative for Cybersecurity Education at the National Institute of Standards and Technology (NIST).
“Management needs to coordinate with the IT department to ensure cybersecurity education for the workforce is aligned with the goals of the company,” he says. “What is our mission? How does technology support that? What does our infrastructure look like? Where does it need to be? These are the types of questions that can help businesses assess not only where cybersecurity skills gaps are in their workforce today, but also where they’re likely to emerge in the future.”

Partnering with academia

McDuffie suggests that once organizations figure out their needs, they look to people they already know to provide training. That would include the IT service providers that supplied the company’s core technology as well as risk consultants who are advising the business. Academia is the next stop, McDuffie says, and it offers benefits beyond helping employees learn cybersecurity best practices.
“Establishing a tie between your business and one or more academic partners helps you to understand what cybersecurity skills today’s students are learning and where you sit as a business,” he explains. “It’s also a great way to build up a pool of talent specifically for your organization.”
McDuffie recommends looking to the Centers for Academic Excellence (CAE) and Information Assurance Education to find a university partner that has earned a CAE designation granted jointly by the National Security Agency and Department of Homeland Security.
University of Maryland University College (UMUC) is a CAE institution. It offers Cybersecurity Workforce Development and Training as part of its Corporate Learning Solutions program that serves employers in the private and nonprofit sectors, and in government. “We work with everyone from senior-level executives to network administrators and web developers,” says Jeff Tjiputra, academic director for Computer Networks and Security and Cybersecurity Programs at UMUC. “Employers come to us because they want to develop a new cybersecurity capability or expand one. The cybersecurity education they choose for their workforce is typically based on the strategic plan for the business.”
Tjiputra recommends that employers search for a university that attracts skilled faculty who have relevant industry experience. Employers also should take a flexible approach to classes that allows busy professionals to learn at their own pace, he says.

No one-size-fits-all

Hanford cautions employers against “cybersecurity boot camps” that attempt to cram a lot of information into a short course or classes that don’t provide hands-on training.
“Look for courses that offer a technical component — even for beginners,” he says. “Cybersecurity is complicated, and if an instructor isn’t requiring students to bring a laptop, or providing equipment, it’s a good indication they’re not going to impart a lot of deep or practical information to your employees.”
And just as there is no single solution to cyberthreats, there is no one-size-fits-all approach to education and training, says Steve Durbin, global vice president of the nonprofit risk management organization, Information Security Forum: “Cybersecurity education is about providing frameworks and guidelines that can be adapted by companies so they can grapple with cybersecurity and its implications for the business. The educator is the channel, the conduit for learning, and the coach who ensures appropriate adaptation of cybersecurity [best practices] to the needs of the business.”