The U.S. Department of Homeland Security on Tuesday announced the National Risk Management Center, part of a new effort to combat cyber threats to the nation.
The new agency’s mission will be to defend the U.S.’ critical infrastructure through greater cooperation between the public and private sectors.
The center will bring together government experts and industry partners to work out ways that the government can support the partners. The idea is to create a single point of access to all government resources that can be used to defend against cyberthreats.
“I occasionally still hear of companies and state and locals that call 911 when they believe they’ve been under a cyberattack,” said DHS Secretary Kirstjen M. Nielsen at a National Cybersecurity Summit held in New York City on Tuesday.
“The best thing to do will be to call this center,” she continued. The center will provide organizations under cyberattack with what they need to repel, mitigate and root out adversaries from their systems.
The center also will be a place for forging strategies against threats.
“Having the private sector with us will enable us to take a piece of threat data to determine what puzzle it belongs to and then to determine how to fit it into the puzzle,” Nielsen said.
Through that approach, “we can see the trend, we can see the thread, we can see the purpose, perhaps, of the attack, but certainly the implications and effects,” she explained.
“The private sector also knows its operational environment better than we will ever know in government,” added Nielsen, “so we will look to their expertise to help us to understand how the pieces fit together.”
The power of information sharing already has been seen in initiatives like the Cybersecurity Risk Information Sharing Program in the U.S. Department of Energy, Secretary Rick Perry noted in a panel discussion at the summit.
It was due to that close collaboration that the department was able to identify a very dramatic event last year about Russian intrusions into our energy systems, he observed.
“Had we not had this close working relationship with our private sector partners, it would most likely gone unfounded,” he said.
Underpinning the creation of the National Risk Management Center is the recognition that cybersecurity defense is a team sport, observed Brad Medairy, a senior vice president at Booz Allen Hamilton, an international technology consulting company headquartered in McLean, Virginia.
“It requires a partnership of the whole of government and the whole of industry to address it,” he told TechNewsWorld.
The new center is an extension of capabilities the DHS has been developing to protect the nation’s critical infrastructure, noted James Barnett, head of the cybersecurity practice at Venable, a law firm in Washington, D.C.
“Secretary Nielsen would certainly want to announce this now with the recent revelation of Russian hackers into the controls of several American companies that make up the energy grid,” Barnett, a former Navy Rear Admiral, told TechNewsWorld.
The federal government already has an information-sharing center in place — the National Cybersecurity and Communications Integration Center — but the new center appears to be a different kind of animal.
“NCCIC has been more of a coordinating and information sharing effort — the government will collate and provide you with information to help yourself,” Barnett explained. “It sounds like NRMC is one step closer to a cyber firehouse, where DHS will actually provide direct assistance.”
One frequent complaint from the private sector is that the quality of information from the government is poor. The new center could change that.
“As conceived, NRMC will focus and organize the federal government’s efforts to provide the private sector operating critical infrastructure with actionable threat data,” Barnett said. “This would be more than just a malware warning or patch. It sounds like DHS is willing to provide deeper information on threats, to include supply chain threats.”
For validating the supply chain and procurement process, the center is an essential step forward, said Ray DeMeo, chief operating officer of Virsec, an applications security company in San Jose, California.
“This initiative wisely prioritizes actionable threat data, a critical gap in today’s Industrial Control System threat environment,” he told TechNewsWorld. Z,pz. “Threat actors have a significant lead time ahead of responders — often weeks or months,” DeMeo pointed out. “With more actionable threat data, our human intervention can focus beyond immediate triage to higher-order efforts. Who are the attackers? What is their methodology?”
Public-private cybersecurity partnerships are nothing new, but the private sector may be coming to this latest vehicle with a different attitude.
“It’s recognizing that the threats are getting more sophisticated and more complex,” said Matt Olsen, president of IronNet Cybersecurity, a Fulton, Maryland, maker of a suite of cyber security technologies.
“There’s also a fundamental recognition that companies can’t go it alone against the most sophisticated threat actors out there, particularly nation-states like Russia and China,” Olsen, a former director of the National Counterterrorism Center, told TechNewsWorld.
In order for partnerships to work, the partners must trust each other. That’s proven to be a challenge in the cybersecurity arena in the past, and it could be a barrier to the new center gaining momentum.
“Will the center bring government and industry together to provide solutions, or is this going to be another layer of bureaucratic influence on industry?” wondered Emily Miller, director of national security and critical infrastructure programs at Mocana, a Sunnyvale, California-based company that focuses on embedded system security for industrial control systems and the Internet of Things.
“Is it going to come up with unfunded mandates? Is it going to create baselines that industry has to comply with that do not provide actual security? Those are the questions the industry is going to have in mind when they think about what is the goal of the National Risk Management Center,” Miller told TechNewsWorld.
Show Me the Money
Achieving private sector trust will be a challenge, acknowledged Venable’s Barnett.
Howver, “DHS has positioned itself in the cyberworld as a resource and facilitator, not a regulator. Establishing NRMC is a positive step in organizing the government’s assistance, if it is well resourced,” he noted.
“The success of the new effort will depend on whether the government is able to provide NRMC with the money, expertise and capacity to meet its objectives, and how well it is accepted by the critical infrastructure private sector,” Barnett said.
Everyone needs to be talking less and doing more to reduce cyber-risk, suggested Ed Cabrera, chief cyber security officer at Trend Micro, a Tokyo-based maker of enterprise cyber security solutions.
“We have been espousing the need for better public-private partnerships for the better part of 15 years, but we have failed to execute,” he told Tech News World.
“The blame cannot be solely laid at the feet of government,” Cabrera said. “We in industry have our role and responsibility to work hand-in-hand with government and each other to eliminate cyber threats, and reduce technical and systemic vulnerabilities.”
Security Risks in a Technology-Driven World
Technology has certainly changed how the world works, influencing almost every aspect of modern life. But while modern technology undeniably brings a number of advantages across multiple sectors, it also has its share of downsides. The inter-connectivity that ties all devices and systems to the internet has invited malicious forces into the mix, exposing users and businesses to a wide range of threats. How do you stay safe and secure?
From the comforts of home (the tech in your home)
Your mobile phone’s alarm wakes you up in the morning, but you get up to check updates from your social media network. News and updates used to come via the morning paper and conversations over the phone. More than a decade later, scanning social media feeds is the new norm for a lot of people.Home appliances like televisions and air conditioners can now be controlled using your phone via an app, and it is just one of the many examples of IoT technology reaching the market. Alexa, Amazon’s voice control system that powers the wireless speaker called Echo, allows users to search the Web, shop online, get weather reports, and control smart-home products without having to use a remote or phone. Reports say that over 24 million voice-enabled machines were shipped in 2017, and the growth shows no sign of stopping.
Meanwhile, other IoT-powered devices are designed to eliminate regular configuration or setting. Smart thermostats can automatically regulate temperature, while smart fridges are capable of informing users whenever supplies are low.
Out on the Road
When you leave home for work, the thought of commuting comes with a feeling of dread because of expected traffic and pollution. Modern transportation network companies like Uber and Lyft found a way to increase the per capita utility of a car, reduce congestion and carbon emission, and eliminates the need for parking spaces. The power of interconnectivity has provided car-sharing and car-pooling services an online platform that connects passengers to commercial drivers, which makes life more convenient for people who commute to work.Smart traffic management already exists in some cities. Smart traffic management requires a centralized system to control traffic lights and sensors that regulate traffic throughout a city, optimizing traffic flow and reducing waiting time for pedestrians who want to cross streets.
At the workplace, biometric systems such as fingerprint scanners and facial recognition systems are being utilized for employee verification. Obscuring knowledge-based passwords to securely enter the office is just one of the many uses of biometric authentication. It’s also seeing increasing patronage among industries and governments across the globe with its integration in smartphones, adoption of biometric systems by government facilities, and the rising use of biometric technology in financial and critical sectors, among others.
Security Technologies for the Financial Sector
For financial institutions, keeping an ever-stronger security posture has become a necessity, but the technologies that support web security change as rapidly as the threats. Even an institution that thinks it has solid web security tools and practices in place needs to periodically reassess them to keep pace.
Several core IT security controls must be included in any robust solution to provide multi-layered security. Having multiple layers of security is more important than ever because no single security tool is effective against most threats.
UNIFIED THREAT MANAGEMENT
UTM technologies bundle several security capabilities into a single network-based device to protect both web servers and web client devices. UTM capabilities include firewalling, intrusion detection and prevention, virtual private networks, anti-malware and web content filtering. These functions are all critical for any modern IT environment, and by bundling them into a single device, greater performance and lower costs can be achieved. Examples of UTM technologies include Palo Alto Networks’ PA-5000 series, Cisco Systems’ Adaptive Security Appliance and Fortinet’s Unified Threat Management solution.
These solutions are similar to UTM technologies in that they bundle multiple security capabilities into a single product, but endpoint security solutions are software-based and are targeted toward user devices, such as desktop and notebook computers, smartphones and tablets. Symantec Endpoint Protection, Trend Micro Enterprise Security for Endpoints and McAfee Total Protection for Endpoint are examples of products in this space.
Typical capabilities offered by endpoint security solutions include anti-malware functions, firewalling, and intrusion detection and prevention. Because they are host-based, not network-based, endpoint security solutions travel with the device, so they can protect it from threats no matter where the device may be used, including external environments that do not provide network-based security controls. Keeping web client devices “clean” of malware and other forms of attack is key to reducing web server and application compromises caused by leveraging user access.
WEB AND EMAIL SECURITY
Dedicated devices or server add-ons can examine web and email traffic for suspicious or malicious content and handle this traffic appropriately. It may not be immediately obvious that email security is necessary for web security, but many of the attacks that involve malicious web activity are initiated through malicious emails. Examples of email security gateways are Cisco’s Email Security Appliance, Proofpoint’s Enterprise Protection and McAfee’s Email Protection. Web security gateways include Cisco’s Web Security Appliance and McAfee’s Web Gateway.
ENCRYPTION OF DATA AT REST
Most financial institutions are well aware of the need to encrypt sensitive data in transit over unprotected networks, but it is increasingly important to encrypt sensitive data at rest (on storage) as well. Banks and credit unions have a wide variety of enterprise storage encryption products to choose from. While they all provide the same basic encryption and key management functionality, these tools support encryption of different kinds of storage. Some products support endpoint encryption only (for example, hard drives or removable media), while others also support encryption on file shares, cloud storage and other network-accessible locations. Examples of products that possess this functionality include Sophos SafeGuard Enterprise Encryption, the Symantec Encryption family, RSA Data Protection Manager and McAfee Complete Data Protection (for endpoints only).
Vendors such as RSA and 2FA provide a variety of software and hardware-based products for enterprise authentication services. These services support web security because they enable the use of diverse authentication methods, including multifactor authentication with cryptographic tokens, smart cards and biometrics. Using multifactor authentication greatly reduces the chances that an attacker can steal a legitimate user’s credentials and reuse them. Some enterprises choose to use multifactor authentication for administrators only, while others have moved toward multifactor authentication for all internal users
The Dismal State of Healthcare IoT Security
The healthcare industry has been moving toward medical equipment connectivity to speed up data entry and recording, as well as improve data accuracy. At the same time, there has been a shift toward incorporating consumer mobile devices, including wearables, so that healthcare providers can monitor patients’ health more closely and improve treatment.
“The demand for connected devices has increased rapidly in recent years,” noted Leon Lerman, CEO of Cynerio.
“The number of connected medical devices, currently estimated to be approximately 10 billion, is expected to increase to 50 billion over the next 10 years,” he told the E-Commerce Times.
Worldwide, consumer interest in smart wearables — those from Apple, Fitbit and various fashion brands — has been growing, according to IDC.
Wearables sales in Q1 exceeded 25 million units. Sales of smart wearables in that period were more than 28 percent higher year over year, while sales of basic wearables fell by about 9 percent.
The smarter devices from major brands such as Apple and Fitbit incorporate more sensors and improved algorithms, and have access to historical underlying data, noted Jitesh Ubrani, senior research analyst for IDC mobile device trackers, which makes them useful for monitoring user health.
Wearable makers increasingly have been incorporating cellular connectivity into their products, leading to the emergence of new use cases. About one third of all wearables sold in Q1 included cellular connectivity.
Apple has been pushing deeper into healthcare with the Apple Watch, which connects wirelessly with an iPhone.
Fitbit has partnered with Google on a range of enterprise and consumer health solutions.
Further, medical equipment manufacturers increasingly have been incorporating connectivity into their products.
However, connecting wearables to networks comes at the cost of increased security risks.
“With the number of IoT and connected devices being used within hospitals constantly increasing and diversifying in their nature, the exposure to potential devices is great,” Cynerio’s Lerman noted.
Such devices range from MRI machines to insulin pumps, and “the sheer number of devices in a single hospital also means that staff are often unaware of threats, so breaches can go undetected,” he pointed out.
Network-connected medical devices “promise an entirely new level of value for patients and doctors, but they also introduce new cyber security vulnerabilities that could affect clinical operations and put patient care at risk,” Kamaljit Behera, healthcare industry analyst at Frost & Sullivan, told the E-Commerce Times.
Last year, 75 percent of healthcare organizations experienced a cybersecurity incident, noted Frost & Sullivan healthcare industry analyst Siddharth Shah.
Attitudes toward cyber security have been mixed, however. Seventy-one percent of the healthcare organizations that responded to an HIMSS survey last year indicated they had allocated a budget for cyber security, Shah told the E-Commerce Times.
However, based on the firm’s research, 53 percent of healthcare providers and 43 percent of medical device manufacturers “do not test their medical devices for security, and few are doing anything about being hacked,” he said.
“Some improvement” in cybersecurity is expected this year, Shah said. The healthcare industry “is gradually moving from a reactive approach to a proactive one, but there’s still lots to be done.”
Hospitals’ IT security budgets are relatively low, Lerman pointed out. So, hospitals “have a relaxed security posture, with unsecured connected medical devices being the golden ticket for hackers.”
Patient data is “valued at approximately 10 times the value of a standard credit card,” he remarked.
The lure of riches has spurred hackers’ creativity, observed Sean Newman, director of product management at Corero Network Security.
“Evidence of continued cybercriminal investment and innovation … reinforces the need for organizations requiring continuous Internet availability to deploy the latest generation of real-time, automatic DDoS protection solutions,” he told the E-Commerce Times.
There already are cybersecurity frameworks in use at hospitals, Shah said.
Further, the United States government has been working to improve the situation: The U.S. Food and Drug Administration has published a medical device safety action plan, for example. It also collaborates with the U.S. Department of Homeland Security on medical device cybersecurity issues.
Wearables Are Low Risk
The risk from wearables is low level, “assuming the healthcare entity is segmenting the data flow from remote personal healthcare devices into a separate data repository and not their electronic health records,” said Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.
That’s the “more likely architecture” to be adopted for both analytics and security purposes, he told the E-Commerce Times.
The increasing trend toward consumerism in healthcare has given rise to a new debate, said Frost’s Behera, over whether to make individuals the actual owners of their data, with sole access control to promote interoperability.
“It’s a great vision,” said Behera, “but the bigger question is, how well are individuals prepared, equipped and educated to protect access to their health data on their smartphones or their home Internet networks?”
A Possible Healthcare Security Strategy
Each device maker implements its own security solutions, and the medical device industry “is struggling to take what they’ve learned and apply it,” noted Rod Schultz, chief product officer at Rubicon Labs.
What’s needed is a paradigm shift, he told TechNewsWorld.
Every connected medical device maker should not attempt to reinvent the cybersecurity wheel, Schultz said. Instead, they all should rely on mobile phones, which are “the natural cornerstone of security for a connected medical device.”
Finding a way for mobile phones to do as much of the heavy cybersecurity lifting as possible “will work — but will require device makers to concede and cooperate with Apple, Google, Microsoft and Amazon,” he pointed out.
“Standardization may eventually spin out of this,” Schultz suggested, “but in the short and medium term, looking for a halo of security from the biggest mobile device and cloud providers seems like a viable security strategy.”