Symantec Security Summary

1. More woes loom for healthcare security?

Last September,  ProPublica revealed that 187 servers being deployed to store and retrieve medical data in the U.S. were unprotected by passwords or basic security precautions. The upshot: anyone with a web browser or a few lines of computer code could access patient records. Two months later, the situation’s no better with the amount of confidential patient data accessible on the internet still climbing.

The disclosures offer a new twist on a familiar problem. In 2017, the Healthcare Industry Cyber Security Taskforce, funded and overseen by the federal Department of Health and Human Services, warned that “healthcare security is in critical condition.” Unfortunately, we can’t report that the patient is faring much better. Indeed, when it comes to security, the healthcare industry continues to struggle to reduce its exposure to cyber risks as threat actors step up their attacks. Last year, data breaches and ransomware attacks cost the health sector an estimated $4 billion.

In this most recent incident, the problem centered around an aging file format and industry standard known as DICOM, which allows medical practitioners to read and share medical images easily on what’s called a PACS server. But when doctors connect their servers to the internet without a password, they leave sensitive medical imaging and patient data vulnerable.

Learn More: Is Healthcare Security in Critical Condition?

* * * 

2. The upcoming census will make history.

Largely because it will be the first one conducted primarily online with respondents encouraged to submit their answers over the internet. What could possibly go wrong?

For starters, everything. Back in 2017, the GAO included the census in its list of the highest-risk government projects since due to cyber security and other issues. Despite some progress. Since then, the Commerce Department says there’s been “partial” progress” but also flagged areas of concern, specifically when it came to the management and oversight of the Census’s IT systems as well as the ability to deal with cyber security weaknesses “in a timely manner and ensure that risks are at an acceptable level before systems are deployed.”

Progress is in the eye of the beholder. Last December, the GAO said the Census Bureau still had 191 unfixed cyber security problems that it characterized as “high” or “very high” risk. What’s more, it said that 26% were 60 days or more past their planned fix date. Following the caucus fiasco in Iowa in early February, there’s extra urgency to make sure sufficient tech and security testing gets done before the census gets underway.

What they’re saying:  This may be one of the rare political questions that unites Democrats and Republicans nowadays. Here’s Delaware Democrat John Sarbanes during a recent appearance by Census Bureau officials before the House Oversight and Reform Committee: “If ever there was a juicy target for those who want to hack in and sow discord and all the rest of it, it would be our 10-year census where we are putting it online like never before.” Meanwhile, Rep. Mark Meadows (R-N.C.), who also sits on the committee, weighed in by adding that the census website was more “complex” than the app used in Iowa and therefore has “a lot more chances for cyber intrusions.”

Learn More: The Looming Crisis: Government Agencies and Cyber Security

* * * 

3. New BEC attacks beckon. 

When BEC attacks first began showing up as a problem back a few years ago, the FBI warned that the scam relies on the oldest trick in the con artist's handbook: deception.” It may not be very sophisticated but it is very effective.  

How it works: In its recently-released 2019 Internet Crime Report, the FBI said it had recorded more than $1.7 billion in losses related to BEC attacks. An acronym for business email compromise, BEC attacks take a variety of forms and target companies in many different industries. But the basic aim is the same: to gain access to a company’s network - often through a combination spear-phishing attack with malware - and then carry out surveillance on the organization and its senior executives. Then, at a time of their choosing, the criminals swing into action, sending phone emails, purportedly from the CEO,  to someone in finance requesting an immediate wire transfer.

AIG Insurance said that BEC attacks accounted for about 23% of all their cyber insurance claims for losses - more than for ransomware or data breaches - in the Europe, Middle East, and Asia regions in 2018 (based on the latest figures available.)

Learn More: BEC Scams Remain a Billion-Dollar Enterprise

* * * 

4. Speaking of financial scams

More than a dozen banks in the US and Canada found themselves recently on the receiving end of a mobile phishing scam that claimed 4,000 victims. In this case, scammers duped victims with messages containing links to phishing pages made to appear like legitimate mobile banking pages. Clicking on links gave the phishers access to users' banking credentials as well as their personal details, including dates of birth. All of that information can later be  sold on the Dark Web or used in other fraudulent schemes.  The attacks, which had been ongoing since 2019, have since been getting shut down. But this is part of an ongoing challenge.

Why it matters:  Banks have long been in the cross-hairs and this was just the latest incident in a years-long trend of cyber criminals targeting financial institutions. The Carnegie Endowment offers a telling snapshot in this timeline it put together of attacks against financial institutions since 2007. That year it logged 3 attacks; last year it was 29.

Learn More: How Banking LoB and Cyber Security Teams Can Get on the Same Page