Often it’s the little security issues we overlook that hurt us the most. 
By: Brand BarneySecurity cameras? Check. Guards? Check. Locked doors? Check. Privacy monitors? Umm . . .When it comes to data security, many health organizations don’t always worry as much about the physical aspect. While many foundational security issues may have been addressed, organizations are likely to have overlooked details such as
Unlocked office doors during the dayWindow blindsReception desksLack of screensavers and privacy monitorsTheft of devices/hardwareMalware in left-behind devicesPeople may think physical security only applies after hours. However, most data thefts occur in the middle of the day, when the staff is too busy with various assignments to look at the person walking out of the office with a server, company laptop, phone, etc.Organizations may also think data thefts are large events that take months of planning, looking like something from those heist movies. (Oceans 11, anyone?) However, most data thieves use simpler plans.The majority of physical data thefts take less than only minutes in planning and execution.
TweetMalicious entities (hackers) strike quickly, take what data they can and leave with little to no trace. In this case, data thieves take advantage of the lack of physical security in healthcare organizations. Here are some issues that your organization may not have considered.Taking devicesThe main problem offices have with devices is a nurse and a client use the same type of mobile device, such as an iPad. A thief could walk in, take an iPad off the reception desk when no one was looking, and walk out, all within five minutes. Would you stop someone if they were walking out of your office with an iPad? Probably not, because you would assume it was theirs. But within a few potential minutes, that hacker has access to the network and whatever data or PHI is on that iPad. This type of theft can and does happen, and sadly it’s not limited to your office, hospital, etc. Many workforce members work long hours and take devices with PHI on them home, stopping at a grocery store or a child’s school on the way home from work. Theft is quite likely if a device is left alone and unsecured in or out of the workplace, and that breach can cause quite a bit of heartburn.See also: Balancing Mobile Convenience and PHI SecurityLeaving devicesYou don’t often think of thieves leaving something behind, but for hackers, an easy way to further the data heist is to leave behind malware. Here’s an example: A receptionist at a large hospital notices a flash drive was left on the desk. It’s labeled “HR,” so the receptionist decides to just drop it off at the Human Resources Department. The person in HR takes it and plugs it into a computer without a second thought. But that flash drive was full of malware and now the hospital’s system is infected and likely losing data.Be suspicious of any unfamiliar hardware or device that randomly appears.Windows and peeping eyesOften a thief doesn’t have to enter an office to steal information. They can look through a window and see information on the computer screens of workers. This can be remedied simply by putting up blinds in offices that have sensitive information.Follow for more data security articles like thisReception desks reveal more than you thinkReceptions desks are filled with tidbits of information and loose PHI that cause data thieves to grin. Things like passwords written on sticky notes, computers without privacy monitors, and patient records lying out in the open are all fair game for social engineers.Reception desks also get the most traffic, which is why they are typically the first target. Social engineers can steal a lot of information without being noticed. It’s critical to the safety of your patient’s data that your receptionists are properly trained to handle social engineers and aware of everything that’s going on.See also: Healthcare Reception Desks: Breeding Ground for HIPAA Compromise
Check-in and check-outKeeping track of clients coming in and out may seem insignificant, but it can help discourage thieves and provide information should your data get stolen.Having check-ins helps your staff to acknowledge and remember the clients that come in, making it harder for social engineers to slip in and out unnoticed. Make sure all clients/vendors that come into the building sign in and out when entering secure zones (like a data center, or networking areas/server areas), and always assess who really needs access to those very sensitive areas.Unlocked doors: a social engineer’s paradiseSocial engineers love an entity that doesn’t pay as much attention to physical security. It makes their jobs that much easier, and if you aren’t paying attention to these areas, what else might that attacker poke around at? A social engineer can go into a hospital, walk into an unlocked office, sit down on an unlocked computer, steal phi, and then leave all within ten minutes.But if the office door is locked, then the social engineer usually won’t bother.Hackers and thieves are often lazy. Why go to a lot of trouble to get past a locked door if there’s an unlocked one down the hall? By locking office doors and computers, you deter many data thieves (what’s crazy is this very basic concept translates to all areas of security).Fighting back: it’s surprisingly easyMost of these risks can be prevented with little effort. Here are some suggestions:In risk analysis, look for physical security risksLock all office doors when not in use day and nightRequire passwords to access computers and mobile devices (encrypt your data or don’t have data on devices)Use screensavers and privacy monitors on computersInstall and use blinds in all office windowsKeep logs of who goes in and outKeep track of devices that go in and outHave policies in place for stolen equipment (Make sure to have a good Incident Response Plan and know your Breach Notification Policy front and back.)Train staff against social engineeringLimit access to PHI through role-based access.Have staff report suspicious people and devicesMake sure all reception desks protect PHI from prying eyesSee also: Common HIPAA Violations: HIPAA Quiz/HIPAA TestMost social engineering and data thefts can be prevented by following these simple practices. If your organization is taking into account the smaller issues, a social engineer, or a thief will be less likely to bother you because it’s not worth the effort.It’s the greatest benefit from the littlest effort.Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.
9 Ways to Social Engineer a Hospital
Your workforce members are your weakest link; here’s what you can do to help them.By: Brand BarneyWant to know a secret? Most hackers are lazy. That means they’ll try to steal data in the easiest way possible.People today think hackers always breach hospitals through incredibly complex hacks. In reality, hackers can steal data through non-technical methods like social engineering because it’s easier and takes less effort.Social engineering is basically human hacking. A social engineer manipulates staff members into giving access to their computers, routers, or Wi-Fi, where the social engineer can then steal Protected Health Information (PHI) and/or install malware.Generally, all you have to do to be a successful social engineer is be nice.TweetThere are countless ways hospitals and even smaller covered entities can be socially engineered, but they all revolve around five big issues that most entities have:Unaware staffNo policies regarding request verificationLack of reporting suspicious people/situationsMinimal physical securityLack of communication between departments.Let me give you a few real scenarios: 1. The Dumpster Dive
Sometimes hospitals don’t dispose of sensitive documents properly. Take a hospital with an offsite IT staff. If the hospital receives invoices and doesn’t shred them, a social engineer could go through that trash and find sensitive information about new hospital computers. Even better, he could find the names of the IT personnel that installed the new computers.The social engineer’s conversation could go like this, “Hey, this is Brian over at Acme IT. I understand you guys had some computers installed by our employees. (He then lists the names he found on the invoice.) Well, they’re not with our company anymore, and we need to reinstall some software on those computers. Can I come down this afternoon?”If the hospital gives him permission, he now has access to a computer where he can install malware, steal PHI, etc. Most organizations won’t bat an eye when they have contracted an outside entity to do their IT work; the only question they want to know is “how much is the work going to cost?”2. The Changing PasswordsThe social engineer finds the name of a staff member. She calls up the help desk and poses as a member of IT, “Hey, I’ve got so-and-so with me and she needs her username and password changed. She just stepped away from her desk, but she’s been having problems with the system.”The help desk grants her request and she now has access to an employee’s new username and password, and can steal the hospital’s data. This is a huge problem, but it can and does happen in organizations all the time especially if your help desk doesn’t have a solid policy for non face-to-face password resets, and if they get swamped. A little know how, a name drop here and there, and a smile on the phone and bang: the social engineer just convinced IT help desk to reset your password…3. The Name-DropA social engineer goes up to a help desk, “Hi, my supervisor, Kent, has requested a change to a system in my department; it’s been having problems. I need to get on one of your computers.”He’s in a big hospital, so the staff believes him, especially since he gives a supervisor’s name. The staff grants that request without a second thought. He has access to a computer that may have PHI and other data.Follow for more data security articles like this4. The Walk-InThe social engineer walks into the hospital, dressed up in a suit, looking very official. He picks up a patient record that’s lying on a desk and starts looking through it. Nobody stops or questions him. Within five minutes, he takes several photos of the data, puts the record down, and walks out of the hospital, and no one is the wiser.5. The Unlocked ComputerA social engineer walks into a hospital. He confidently goes into an office that’s unlocked and sits down at the computer. The computer is unlocked and he now has access to all kinds of data. He starts going through information and installs malware on that computer to steal more information later.During this time, no one questions him because he looks and acts like he belongs.
6. The Relaxing ConversationThe social engineer goes into a hospital and asks one of the staff, “I’m with IT and I am here to install some updates on your systems and I need to get on your computer.” The staff member is initially suspicious.The social engineer backs off and decides to first become friends with the staff member. She cracks jokes, divulges a bit of information about herself, and confides in the staff member.After a few minutes, the staff member is more comfortable. “What was it you needed?” The social engineer now has a computer where she can install malware, steal data, or even delete important information.7. The Fake IT GuyA social engineer calls up someone within the hospital (showing a hospital phone number to the recipient) and says, “This is James from IT. I need your username and password.” The person in question then gives the information to him, and he now has access to the network. He can then take data in the name of the employee, making him nigh untraceable.8. The Pointed QuestionA social engineer asks a staff member pointed questions, masking them as casual inquiries. The staff member then unwittingly gives her valuable information, such as his supervisor’s name, his username, the supervisor of the department, etc.After a few more questions, she now has enough information to call up a different department, name-drop and then get more information.9. The iPad Walk OutA social engineer walks into a busy hospital, takes an iPad lying on the reception desk, and walks out. The staff members are too busy with their various responsibilities to notice.He isn’t questioned by anyone because he looks like any other person carrying an iPad. The staff doesn’t notice the iPad is missing until later. By then, the social engineer potentially has access to information, PHI, data, etc.See also: Healthcare: Recognize Social Engineering TechniquesHow to fight backWhile social engineering is a serious problem, there are ways to combat it. Here are my suggestions:Train staff members to be aware and suspicious: They should notice if a device is missing. They should be aware of who’s working, and they should question anything that looks slightly out of place.Train staff members to verify requests: Staff members should verify with supervisors when someone claims they have arrived to work on hospital computers, servers, Wi-Fi, etc.Make each department accountable for security: For most hospitals, it’s impossible for the C-Suite to train everyone about security. Every department head should constantly discuss security with employees.Hire a consultant: If you don’t even know where to start, hire a HIPAA consultant to help you boost your hospital security.Take advantage of resources: There are webinars, blogs, reports, white papers, and more resources that talk about social engineering, HIPAA security and HIPAA regulations. Research and learn!Test your staff: The best way to learn security techniques is to practice them. Get your staff used to social engineering attempts by pretending to be a social engineer (or hire an ethical social engineer). See what they do, and debrief them after.Boost your physical security: Keep computers locked, use screensavers, watch your devices, and lock offices when not in use. Taking small measures will help prevent social engineers from easy access.The biggest way to fight back against social engineering is proper regular staff training. It’s true, training = some downtime, but it’s critical to your patient data and organization’s brand that your staff members know how to address social engineering. Onboard and annual training isn’t enough!! Schedule quarterly, or even monthly training.See also: HIPAA Training Video: Essential Healthcare Compliance TrainingToday, staff members who aren’t well versed in security are worthless. Hospitals need both systems and people that are active and aware.Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.
How Do Hackers Hack?
Crimes of opportunity lead the average hacker to valuable data. 
By: Steve SnelgroveYou might think hackers selectively pick each business they hack. While this may be true in high profile or hacktivism cases, I estimate 90% of hacking is done based on a system’s general lack of security. Hackers don’t think, “Today I’m going to hack Acme Hardware across the street.” They scan for the most vulnerable system and start digging.To defend against attacks, it is important to understand that hackers have different motivations and capabilities.The Opportunist Hacker
A crime of opportunityThese hackers stay up-to-date on security news. Once a vulnerability is made public, it’s fairly easy to conduct a large-scale network scan for systems which exhibit symptoms of the vulnerability. After the hacker gets the list of vulnerable machines, he will do additional research on the vulnerability and attempt to enter the system. Once inside, it is often easy to pivot and reach other, less hardened machines.A great example of opportunist hackers in action arose when news of the Heartbleed vulnerability was released in April 2014. The vulnerability was publically exposed on many news publications. Very shortly thereafter, hackers scanned the Internet for looking machines using OpenSSL, and then attempted to exploit that vulnerability and enter the system. Piece of cake.SEE ALSO: PCI 3.1, Stop Using SSL and Early TLS ImmediatelyBut hackers don’t necessarily require huge newsworthy vulnerabilities in order to hack. There are thousands of other publically-known vulnerabilities they could take advantage of. For example, website forms often have validation flaws. An attacker may submit potentially malicious data on a form, which then might be echoed back to the user’s browser and rendered to the screen. The screen displays a mix of server content and the attacker’s malicious data. This could result in unsuspecting users being redirected to another site where credentials or session information might be captured.Does the hacker know which business or person he’s hacking? No. And he doesn’t care. He’s attacking a system because it’s vulnerable. Once the vulnerability is identified, the hacker will then attempt to profit from the exposure.How do I defend against this attack?The obvious defense against the public vulnerability attack is to scan your systems in an attempt to discover vulnerabilities beforehand. Keep up-to-date on security news. Partner with a company that keeps abreast of publicly disclosed vulnerabilities. Regularly maintain and update your systems.If a vulnerability similar to Heartbleed is released, do everything in your power to close the vulnerability ASAP. Do your best to maintain updates on all other operating systems, browsers, and servers to avoid the possibility of being a victim of a zero-day attack. The Layabout Hacker
Brute forcingSomewhat less effective, but still pervasive, are brute force attacks. In these attacks, attackers control an army of computers infected with malware (known as botnets or zombie computers). The attacker is able to control this network of computers, and these do the attacker’s dirty work for them.The attacker uses botnets to access systems by guessing usernames and passwords in millions of combinations until the right combination is guessed. It’s not very effective. But, as my dad always said, “even a blind squirrel will find a nut every once and a while.”Hackers use botnets so each hack attempt is nearly impossible to trace back to the actual hacker.
How do I defend against this attack?The two best ways to avoid this attack is by monitoring your logs and regularly creating new passwords.If a botnet tries to access your system through a brute force attack, your logs should record these actions. If your logs record 1,000’s of failed login attempts on your system, you’re probably being attacked.The reason brute force attacks work so well is because millions of user credentials (usernames and passwords) have been dumped online in publicly available lists. Password lists are effective because the majority of people do not change their passwords, and use the same passwords on multiple sites/systems. To avoid this attack, change your personal and business passwords every 90 days, and never reuse passwords.SEE ALSO: Vendor-Supplied Defaults Are A Serious ThreatHackers have different motivations and capabilities. But these are their main methods.TweetWhat do hackers do after they get into a system?Now the hacker starts prospecting. Remember, before this point the hacker still doesn’t know if he’s hacked a business or a personal computer. Now, he looks for evidence that the system is doing commerce, which means credit cards, healthcare information, or other valuable data might be present. To find this data, he starts running keyword searches on the file systems and memory of the system.For example, if his keyword searches discover that the system he’s hacked is a Micros system, he knows he has gained access to a business that accepts credit cards. (Micros is a point of sale software used by many restaurants and hotels.) He will probably try Micros default passwords to try to get into their server and thus expand the range of the attack.Install malwareIf the hacker is successful in breaching the point of sale system, he can possibly install malware. The whole point of malware is to gain access to valuable and sensitive information, such as credit card numbers, early on in the data processing stream, and attempt to divert this sensitive information so cybercriminals can reproduce cards or sell the stolen data on the black market.Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire network) could be at risk.PivotBy now, the hacker in this scenario has probably filtered through enough company data to realize who he’s hacked.Perhaps the hacker has managed to attack and gain access to a national business with a chain of stores. If he finds remnant data on the system that includes the IP addresses of other chain locations, that chain will be in some serious trouble as these chain locations may have less security measures in place, and access to these associated networks could provide valuable information to the attacker.Remnant data left on systems does occur in real world examples. In a forensic investigation my colleague David Ellis conducted, a point-of-sale equipment installer left a partial client list on each and every point-of-sale system he had installed during that year. Some 28 businesses were hacked because of the poor security awareness of that careless installer.Leave no traceAt this point, it’s time for the hacker to get out of the hacked system. Most hackers cover their tracks to avoid detection. They encrypt card data before transferring it out of a system, erase or modify security logs, and run malware from RAM instead of the hard drive, which often goes undetected by most anti-virus software.SEE ALSO: Hacking Trends of 2014Hackers don’t care who you are. They just care how rich you can make them.Read about 5 commonly overlooked security errors for tips to avoid being attacked.Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.