Category: Uncategorized

Hand-in-hand with an increased reliance on the internet and networked systems comes to an increased risk for cyber-attacks. Whether conducted unintentionally or deliberately, cybersecurity incidents can wreak havoc on a company’s bottom line, bringing a wide range of consequences with the capability to do long-term harm to companies big and small.

For this reason, the U.S. Securities & Exchange Commission has required public companies to follow a particular set of guidelines and procedures to combat the countless number of cybercriminals scouring the internet in search of opportunities.

Cybersecurity threats and risks are ever changing, and according to the SEC, public companies need to do all they can to prevent attacks. While there exists a world of difference between public and private companies in regard to rules and regulations and how they operate, the two may often encounter the same challenges in regard to cybersecurity. This is why, while unregulated by the SEC, private companies can’t afford to ignore what’s recommended to prevent and combat cyber incidents.

In order to educate and provide support to public companies about the risks associated with cyber attacks, the SEC has introduced a cybersecurity information website containing a variety of tools to be used by companies large and small. These include alerts, compliance toolkits, educational resources and other information pertinent to cyber security and its potential effects on today’s businesses.

What Can Companies Do To Address Cyber Risks?

The SEC has some important tips for businesses to follow if they’re hoping to steer clear of cyber attacks. And in the cases where it’s too late, there is a set of procedures businesses should implement to help minimize damage once an attack hits.

The website covers a wide variety of cyber-related misconduct, including market manipulation through false information, intrusions, hacking and attacks on market infrastructure and trading platforms. According to the SEC, here are a few things private companies must do in order to effectively manage their cybersecurity risk.

Prioritize Policies

An effective set of policies and procedures for dealing with cybersecurity is vital in today’s business world, especially during a time where cybercriminals are acquiring new skills and targets by the day. Companies must be able to identify cybersecurity risks, analyze their impact, and offer open communications with tech experts who can help implement preventative measures and damage control.

There should also be a protocol to help determine the potential risks and materiality of cybersecurity incidents. It’s important for companies to assess compliance with these policies on a regular basis, as well as ensure a proper set of procedures that conveys important information to the necessary personnel.

Necessary Disclosure

Conveying cybersecurity risks and breaches to the appropriate parties is of the utmost importance for public companies, though private companies would do well to follow a similar structure of command. A company’s top directors, officers and other parties responsible for implementing these cyber controls and procedures should be informed of the potential risks in order to develop an effective plan for prevention. And while management’s role in overseeing cybersecurity is indisputable, there are other parties that must be involved.

Combatting Insider Trading

Once a system has been infiltrated by a cyber attack, timing is crucial. The SEC states that companies must have a set of procedures in place to prevent insiders, such as company directors and officers, from taking advantage of the sensitive time between discovery of an attack or cybersecurity incident and the time it is disclosed to investors. It may even be appropriate to halt transfers in the event of an ongoing investigation of a particular cybersecurity incident.

What Are The Risks?

The risks of a cyber attack are varied and depend largely upon an individual company’s IT structure. When evaluating cybersecurity risk factors, there are a number of things companies both public and private must consider. For instance, the occurrence of previous cybersecurity events in the past is helpful in determining risk, as is the probability of the occurrence and its potential magnitude.

It is also helpful to analyze the adequacy of a company’s preventative measures to reduce the risk of cyber attacks, as well as discuss the associated costs and limits of a company’s ability to mitigate these types of risks. Other risk factors include the potential for reputational harm and additional costs incurred from litigation and remediation in the event of a breach.

Conclusion

Private companies are in a unique position to learn from public companies as they navigate an ever-changing digital landscape. The SEC’s guidelines serve as a valuable point of reference to kick-start an effective game plan for cybersecurity. Although it can be difficult to determine when or where the next cyber attack will occur, familiarizing yourself with the risk factors and potential damage can prove a solid line of defense against a major cyber incident in the future.

IDC Report Focuses on How Real the Threat Actually is for Canadian Businesses

How much is your company spending on IT security? According to most analyst numbers, an average of 14% of the IT budget should be shelled out each year to safeguard a business. The reality is that less than a quarter of companies are spending even near that much.

What Was Revealed in the Report?

In a report by the International Data Corporation (IDC) that focused on Canadian companies’ security budgets, some startling statistics were revealed. The IDC, which is a global provider of market intelligence in information technology, surveyed over 200 Canadian companies. In the survey, they calculated that while the average company spent a little under 10% on IT security, the budget was mixed and varied dependent upon the company. The report states that the majority of businesses’ data security budget was subject to how smart that company’s methodology was at combating hacking.

IDC broke down the Canadian firms they surveyed into four main groups:

Egotists

17% of the businesses surveyed are what the IDC labeled as Egotists. This group has a grasp on security, spending about 12% of its IT budget on security. However, the IDC points out that even though these Canadian companies are doing some things right, their overconfidence could easily be their downfall.

Realists

Nearly a quarter of the companies fell into what the IDC labeled as the Realist category. Realist’s cybersecurity budgets are the highest, spending around 14% of their money on IT solutions. These organizations understand that a constant battle must be waged against hackers, and they can never let their guard down. They devote a lot of energy to analyzing and comparing their performance to that of their industry peers.

Denialists

The highest percentage, 37% of companies surveyed, tend to bury their head in the sand when it comes to cyber security. Their goal is to focus on installing new technologies in an attempt to solve the security problem instead of investing in processes that are secure. They also fail to train their staff about cyber security, which leads to more employee caused hacks.

Defeatists

About 25% of the firms examined fell into what the IDC says is the worst of all the categories—the Defeatists. They’re terrible at security, and they fully admit to their failures. Their strategy leans mostly on throwing a small budget at the wall and seeing what sticks. They tend to spend an average of only 6% of their IT budget on security, since they don’t think anything is really going to work anyway.

Which Type of Companies Spend the Most on Cyber Security?

The IDC reports that the three industries who will spend the most on security solutions in 2018 are banking, discrete manufacturing, and the federal government. These three groups will spend more than $27 billion combined.

The four industries that will see spending greater than $5.0 billion this year are process manufacturing, professional services, consumers, and telecommunications. The IDC also reports the industries that will encounter the fastest spending increase over the 2016-2021 forecast period will be telecommunications, education, state and local governments, and the resource industries.

How Much Should Be Spent on Cyber Security Awareness?

The IDC’s survey pointed out the importance of training the company’s non-technical employees. On average, results of the IDC survey revealed the companies that fell into the realist category spent about 24% of their IT security budget on employee awareness and education. They understand that employees are the weakest link when it comes to cyber security. People who are not well-trained to spot phishing schemes will click on suspicious links that could cripple your entire IT infrastructure.

How is the Spending on Cyber Security Broken Down?

The IDC strongly points out that not every dollar with a security benefit inevitably shows up in a company’s security budget. For example, a company might purchase a tool to locate network anomalies. This would fall under a clear security-related purchase. However, if the tool isn’t integrated into a wider detection and mitigation process within the company, it most likely won’t be effective for improving the company’s internet security.

An example of this is the attack against retail giant, Target’s point-of-sale (POS) systems in 2013/2014. The system triggered alarms, but Target’s information security team chose to ignore the warnings and not follow-up on the spotted activity. This inaction resulted in the loss of tens of millions of credit card numbers and hurt the store’s reputation with its loyal customer base.

On the other hand, an IT department that budgets for designing a system of repeatable and automated processes before it invests in high-level detection tools is causing their infrastructure to be more secure, even if the chief purpose is system efficiency. It isn’t clear what portion of that shows up as a security line item or falls into another category.

Conclusion

There’s too much at stake these days not to stay on top of IT security for your Canadian business. Educate employees; invest in the best IT security solutions. Stay on top of what’s going on in the world of cyber security. Not spending enough on cyber security should not even be considered. But neither should spending money on fancy cyber security tools with no clear methodology or IT plan in place.

 

What is PMKID?

Pairwise Master Key Identifier (PMKID) is a type of roaming feature in a network. Recent improvements in hacking have been targeting it for exploitation in vulnerable processes, thereby demanding that ongoing security efforts better address it and its affected procedures.

New wi-fi hacking strategies have been using coding and processes that have made it easier for hackers to learn user passwords for a wide range of router types that are commonly used in homes and businesses. Specifically, processes targeting PMKID zero in on internal network protocols with its features enabled, bypassing critical processes. The method was initially discovered by accident, in an assessment of developments in WPA3 security standards, with the exploitations realized to be potentially applicable to existing security systems.

What Security Vulnerabilities Are Concerning?

Online sources including The Hacker News report that hackers have used the approach successfully to gain pre-shared key (PSK) user account login passwords, which they have then used to hack the wi-fi networks of their victims. This has led to hackers penetrating even further into user databases to gain or misuse other information. While earlier methods have demanded that hackers stand by while waiting for their targets to log in to the network and acquire a complete four-way authentication handshake of EAPOL, the PMKID approach does not require this.

This approach, therefore, makes it easier for hackers to access sensitive information, since they can instead use the Robust Security Network Information Element (RSN IE) with a single Extensible Authentication Protocol over LAN (EAPOL) after making a request from their access point. This is also significantly more efficient and with higher potential for multiple attacks from a single point.

Generally, a successful attack occurs in three steps, which may or may not be followed by the subsequent abuse of personal or otherwise sensitive information. In the first step, the hacker uses a tool such as hcxdumptool to make a request to the PMKID. The PMKID is thereby asked, from the hacker’s point, and the hacker can use the tool to prepare to dump information received to a file for future access and misuse.

In the second step, the tool is used to process frame output, converting it to a hash format for future acceptance. In the third step, a tool such as Hashcat can be used to crack the WPA PSK password, at which point the hacker has the potential to access the personal information of users.

Researchers have been vague in terms of the specific routers involved and the extent of routers most vulnerable to PMKID attacks. The general method seems to be most threatening in 802.11i/p/q/r networks with their roaming functions enabled. This, unfortunately, describes most current routers, while WPA3 developments have only recently begun to counter aspects of the fundamental nature of the vulnerabilities.

The Hacker News reports that WPA3 is a new form of security protocol that is required to address previous WPA2 vulnerabilities that have been increasingly exploited despite smaller non-version-specific security developments. Newer developments employ a new framework that includes features that cannot be encompassed by these smaller software and security upgrades, demanding foundational improvements. An example of a foundational technological improvement is the establishment of Simultaneous Authentication of Equals (SAE).

In addition to the nature of the vulnerability, as is common with modern hacking potentials, access to directions in a PMKID attack are readily available online. SecuredYou is an example of one of many online sources that walk users through potential attacks. According to this source, in an optimized approach, users should first request PMKID from the router, install hcxdumptool and hcxpcaptool, and make network requests for recording through additional described steps.

Other online sources, including the Latest Hacking News and The Register, report that such an approach can be currently used for success in 10 minutes or less on most networks, depending on the extent of active network traffic. Hacking has never been so easy for predators.

What’s Been Happening In Research And Development?

Software and security protocol developers have been addressing the issue most directly through WPA3 and network security strategy research and development. One recent patent has attempted to address and improve an aspect of vulnerability by enhancing an extensible authentication protocol re-authentication protocol (EAP-RP) framework in message transition.

Another recent patent has targeted the way network information is configured and authenticated while maintaining PMKID in addition to a basis on a transient identity key pair provided to other access points. Such developments may benefit users more quickly or to greater extents than the implementation of WPA3.

What’s The Bottom Line?

• PMKID attacks do not require the same waiting times.
• The potential detriment is high.
• WPA3 technology can counter the attacks.
• Other non-WPA3 patents/developments may work but should be tested first.

Those of us who are in the know about artificial intelligence (AI) in medicine no doubt know that IBM’s efforts to use its Watson system in healthcare have been a mixed bag at best and many of the engineers working on the project have been laid off. What went wrong? Watson did so well on Jeopardy.

How Real Is Real?

One of IBM’s initiatives, Watson Genomics, was focused on using data from lab tests on patient’s cells to recommend treatments, replacing the 10-15 doctor “tumor boards” that do this sort of work. Some aspects of that initiative went very well. But another did not fare well. That initiative ran into real difficulties with patient data, so hypothetical data was used instead together with Watson’s huge intake of oncology textbooks and journal articles. That effort produced treatment recommendations that, in the real world, might have had fatal consequences.

And therein lies the rub. Real-world data is messy. Nothing guarantees that this info is accurate. Hospitals are still oriented towards billing; not excellent outcomes. But even so, this is all the data we have. Not using this information to train AIs, it seems, is not an option.

Current AI systems may use “deep learning” and other techniques to extract patterns from data; the data that they use to discover those patterns is called the “training set.” Once that work is done, the patterns learned are tested against other sets of data to see how well the AI performs. What the Watson experience, in part, indicates is something that AI researchers learned the hard way: it is very difficult to create training sets that mirror the real world. Using actual data is much more effective.

How Current Is Current?

The Watson experience indicates another problem. Medical treatment is constantly advancing, patient populations are changing – if nothing else, they are getting older – and this raises the issue of how the training set used relates to current information. Experts in the field say that so far, very little attention has been devoted to keeping the systems updated with new training set data. This increases the risk that treatment recommendations will no longer reflect the best clinical judgement or the real-world results of using new therapies.

Where Has AI Succeeded?

The success stories of AI applications in health care usually involve a combination of relatively simple questions – “Is this lump in this breast suspicious or not?” – rather than complex ones such as, “What is the best cancer treatment for this tumor in this patient?”

AIs have been proven better than human radiologists at detecting suspicious lesions on several kinds of X-rays. One focus – human eyes are in constant motion, AIs can scan the X-ray pixel by pixel.

What Is Decision Support?

For once, the name of a technology is not misleading – decision support systems act as inputs to medical decisions, and hopefully will improve them. What kinds of decisions? Among them are:

• Which antibiotic should I use to cure the patient’s infection and not increase bacterial resistance?
• What test should I order next to establish my guessed-at diagnosis?
• Which treatment option is the most effective and the cheapest?
• Can I safely discharge this patient? If not now, when?
• Should I have another radiologist look at this MRI?

Doctors face questions like these every day, and have to make decisions in real time, often without the luxury of contemplation or research. They also suffer from “cognitive overload.” Even with sub-sub-specialties, there is too much information for one doctor to carry in his or her head.

Decision support systems have the advantage of being able to handle huge amounts of data, process it in ways that a single human never could, and they do not suffer from fatigue. The combination of a human doctor and an AI ought to be a winning one. (Provided, of course, that the AI is kept current and retrained when things change.)

What’s The Next Big Thing?

Current decision support systems are notorious for generating “alert fatigue.” They hit the clinician with so many recommendations and warnings that the clinician tunes them out. They also are not well-integrated into the clinical workflow and electronic health record (EHR) operations.

The Holy Grail, of course, is for decision support to be driven by the EHR, with recommendations driven by what is happening to the patient in near real time.

“Clinical pathways” is ripe for innovation. Every patient is unique, but the course of care is in some ways highly predictable. An AI has the potential to automate orders, verify from the EHR that appropriate care has been delivered, flag deviations from the ideal pathway, and recommend corrective actions.

The key focus on AI development in the future should be on “the human use of human beings.” Maximizing outcomes for the patient while at the same time reducing the burden on caregivers—that’s the best case scenario.

 

Experts agree that the legal sector is not really on the cutting edge when it comes to adopting the latest technology trends. In fact, with the long-standing history of traditional values, it is rare to see widespread use of information technology (IT) in the industry. Even in current years, many law firms prefer to stick with hard copies (paper-based) including books, letters, and legal journals. However, as technology advances, this trend may be a contributing factor in keeping the “slow wheels of justice” at the reduced pace for which it is known.

Fortunately, it is evident that the benefits of legal IT technology outweigh the detriments. In fact, it is equally apparent that implementing the deployment of information technology is possible without disrupting the business. That is key to a successful transformation.

What Prompts Hesitation in the Legal Industry?

In the 2016 State of Digital Transformation Report, Brian Solis and the Altimeter Group conducted a survey of 500 executives. The general consensus was that the main issues included the following:

• Dangers to breached data
• Unsure of return on investment (ROI) to justify the value of increased IT
• Risk management compliance
• Managing potential legal complications
• Resources required for all employees at the office

An additional challenge law firms face is the necessary functionality of the space. In other words, digital upgrades would need to be implemented and perhaps piloted while the regular business continues on. No law firm these days can afford to just close its doors for a few months. These time constraints make it difficult for IT to be introduced and utilized in the legal sector.

Law offices often have a somewhat conservative approach to change, a lack of collaboration, and a tendency to be “set in their ways.” Also, many practices are partner-owned and operated, making the financial risk more personal than it would be for corporations. Lawyers are more likely to take a “wait and see” approach to adding cutting-edge technology.

Why Are the Trends Changing?

Although change is rarely immediate, an increasing number of law firms are acknowledging the need to modernize. Adapting to the digital age is gradual for many attorneys. Perhaps they’re dragging their feet for a few good reasons:

• The extreme amount of paper-based processes means the legal firm might spend years working to move all records to digital formats.
• Since the legal sector exchanges large amounts of data and information with many individuals and organizations, their technology upgrade could be a pain point for staff, clients, attorneys and even third-party vendors.
• Generally, legal professionals are intelligent, educated, and highly skilled. This means the move to embracing new technology should be an easy one. However, they may be reluctant to take that first step.

Perhaps a gradient approach, using a pilot group would help initiate the process. With a small team of informed individuals, the steps to introducing stronger legal IT to the remainder of the office would be much smoother.

How Would This Work?

It would likely require a process of educating the potential users about the benefits of digital technology. This would focus on how much time and money it would save. Explain how this advancement could be accomplished without disrupting the day-to-day business.

Furthermore, the top IT Directors or CIOs should understand how the evolution of their existing method of delivery would save money. It would also allow them to provide better service.

Additionally, by moving away from a paper-based system and using an automated self-service portal for IT support, legal professionals can avoid calling a support engineer when something goes wrong. Users can learn from tutorials and self-help articles to fix devices themselves. As law staff become more familiar with the equipment, they develop confidence to interact with new services and equipment. They learn modern skills and a willingness to experiment with what digitalization can do for them.

At the same time, it frees up IT engineers as law staff benefit from learning how to interact with new services. As the law firm moves forward embracing technology, they become open to further changes in the future for a more connected workforce. It has to start somewhere.

What Would Come Next?

A possible next step would be to employ a chatbot, such as Tawkto, which allows legal professionals to communicate with one another, as well as their clients. This enables real-time communication to occur at any time. By engaging their clients outside of scheduled hours, attorneys provide a more satisfying experience.

This would also help law firms that switch to charging their clients based on successful final results, rather than by billable hour. Since they aren’t being paid by the hour, it makes sense to maximize their time. Digital approaches to communication streamline this process.

In Conclusion

With a sector that is known for preferring a traditional, more conservative operation, it is even more important to take a gradual, phased approach. The right IT Director can plan accordingly to ensure the comfortable adaptation to increasing legal technology. Though the legal team may never be as adept as the IT technicians themselves, this will help the entire law office, as they attempt to improve their digital resources. With the best legal IT tools, the law office should be able to provide better services for their clients and improve their bottom line.

Tablets aren’t just digital babysitters for young kids or fancy versions of ereaders. They offer real value as educational tools. Their versatility, portability, and ease-of-use make them an excellent conduit for learning. Below are seven benefits of using tablets in the classroom.

Seven Solid Benefits of Tablets in the Classroom

1. Portability

Lightweight, easy to carry, and durable if they have screen protectors and cases, the tablets can be picked up and taken on field trips, used in group projects, even taken home. A distinct advantage over desktops and easier to transport than laptops. Bonus: Students with unreliable or no internet at home can potentially be given devices that have broadband subscriptions.

2. Easy To Use

Even elderly parents and grandparents take to touchscreen technology pretty well thanks to the work of developers who’ve studied human behavior to put out the most intuitive devices possible. Elderly people who may have had trouble figuring out the mouse or who had to two-finger hunt-and-peck on keyboards have much less trouble learning to use voice commands or use their fingers to scroll through Instagram. So much easier for younger people whose brains are primed for new information already. Remember … these kids are the future, the ones who will be picking up the tech ball and running with it before you can say Instagram for eyeballs.

3. Great Apps Abound!

There are a TON of high-quality, low-cost educational apps out there. Many are even free. Check out Edshelf.com to see lots of great apps with reviews from teachers. You can build different “shelves” of apps that fit under a certain category. For instance, you could create a shelf where you save adaptability apps that are specifically designed for children on the autism spectrum. Cough Drop is an AAC app for people who have trouble speaking and could easily be downloaded to an iPad. Many other apps may not be specifically meant for differentiated instruction, but have options that make it easier to reach every student. The trick is in finding something that is easy to use but also worthwhile. Using Edshelf.com can help teachers discover the most effective tools because other teachers will post information about how they used the app, whether or not they had any trouble, and how effective it was at enhancing the lesson in a genuinely valuable way.

4. Digital Libraries At Your Fingertips!

No more heavy backpacks! No more waiting for college before being allowed to write in their textbooks!

With tablets (and other computers) students can use digital textbooks like Geography Alive! They’re not only lighter, in the long-term they are cheaper. Most tablets are pretty affordable, and digital textbooks are typically less expensive than their paper counterparts. They have the added bonus of interactive features, annotation, dyslexic-friendly font options, audio features (the textbook reads itself!), and study materials. Even if digital textbooks were only available on desktops, they seem a lot cooler than printed books. However, with a tablet, you can carry all of your textbooks, plus digital libraries in the form of apps like Hoopla and Libby. For this benefit, alone tablets look like a sweet deal.

5. Good Training For Real Life

Touchscreens are ubiquitous. Tablets are the only computing devices right now (apart from smartphones) that offer the user interface and experience that prepares students for the type of digital experiences they will have into their adulthood. They allow teachers an opportunity to demonstrate for students how to live in a digital age. This is perhaps the most important advantage of all. The reason? Because the fact of the matter is, short of an apocalyptic event that thrusts civilization back into the Stone Age, the technological advances will keep coming. Educators need to properly prepare students to know the differences between good and bad information, to keep themselves safe online, and to use these technologies in a responsible way. Students will learn netiquette at earlier ages.

6. Versatility

With the proper accessories, tablets can be used as a slate, artist’s canvas, worksheet, journal, handwriting sheet, whiteboard, camera, laptop, and more! Kids can go through a scavenger hunt on a field trip, edit video, or just revise their papers on the tablet using the extremely intuitive UI/UX that’s only getting better every day.

7. Nearly Instant Assessment

The answer to every ADHD kid’s prayers, and the balm for every secondary teacher’s overloaded arms! Students can take quizzes and tests, run lab simulators, and turn in homework online. No more messy papers, no more shuffling through stacks of grading. Grade papers and immediately switch screens to record the grades. How cool is that?

The Final Grade?

With the ease-of-use, intuitive design, and relatively low price point, these versatile little devices belong in the classroom. It’s even better than some of the sci-fi dreams of super-powered desktops. These portable gadgets fit even into the pudgy hands of preschoolers who, given proper guidance and limits, show more engagement and improved literacy skills when tablets are included in their lessons. Tablets will never replace real human interaction, nor should they, but used thoughtfully, they’re a great tool.

We all know about Food and Drug Administration (FDA) food recalls. Remember the ban on romaine lettuce from Arizona? That was finally tracked down to a contaminated irrigation pipe. Quite a bit of tainted lettuce was eaten or discarded before that happened.

The FDA is in charge of more than just food. It also regulates and recalls medical devices. It is little appreciated that many medical devices nowadays either are essentially computers or contain subassemblies that are computers. So, they have all the issues that computers do: bugs, hardware failures, and cybersecurity risks.

What Are Some Examples of Medical Device Error?

Some medical devices, like bone screws, get recalled because they break before their intended end-of-life. Or because their sterile packaging does not protect them until the product’s expiration date. There are many others like this.

With medical devices involving computers, the reasons for recall are countless. Below are just a few:

• One recall was due to a device that was intended to generate radiation for cancer treatment giving too high a dose without warning.
• Another included anesthesia carts that go into failure mode and shut off the flow of anesthetics and oxygen unexpectedly.
• Still another, automated blood testing equipment, was giving false results.
• IV infusion pumps were giving the wrong dose or shutting off unexpectedly.
• Implantable insulin pumps were delivering the wrong dosage.

Any of these could have results that are fatal.

Why Is Security An Issue?

Many medical devices are part of the “internet of things” (IoT) and communicate with each other or medical records systems via wires or wireless technology. Unfortunately, this means they are potentially “hackable.”

An intruder could say, cause an anesthesia cart to stop delivering an oxygen/anesthetic mixture and deliver only the anesthetic gas. This could kill the patient, while at the same time displaying results on the monitor that would indicate to the anesthesiologist that there was nothing wrong.

An implantable insulin pump could be wirelessly told to deliver a fatal overdose of insulin. Any device that is connected to a medical records system could be hacked to deliver false data. The possibilities are literally endless. And they are scary.

What Is the FDA Doing About Safety and Security?

The FDA has a plan in place to dramatically improve its current surveillance of medical device problems. Obviously, this will involve a lot of infrastructure and database development and will involve all the usual privacy and security issues.

The FDA has in place a system of post-marketing surveillance that is designed to provide early warnings when problems arise in medical devices. Of course, there will be a wide learning curve. Checking the incoming data for indications of device problems is potentially an ideal application for artificial intelligence (AI).

The FDA has also issued guidance on cybersecurity to manufacturers of medical devices. That advice will strike cybersecurity experts as behind the curve:

• Give different users different levels of authority
• Require strong passwords
• Make sure users are notified of software and firmware patches
• Many similar recommendations

So far, none of them address one of the most fundamental security flaws that repeatedly show up in software: elevation of privilege. Once a hacker has control of processes in the operating system (and even the most primitive devices have analogues of them), the hacker can create a Super-user who has control of the entire system and can bypass any security measures that are in place.

The software industry as a whole has no solution to this, because the concept of user privilege is fundamental to almost any operating system. The only way around it is to have “locked down” systems in which changes can be made only by the physical replacement of a chip. But that defeats all the advantages of the IoT and connectivity in general.

Medical Devices For Consumers: What’s Good Enough?

Medical device makers whose target market is medical professionals have focused on “more” –more accuracy, more graphics, better resolution, more connectivity, and so on – all of which translates into more expense.

With an increasing focus on costs in healthcare and with more devices aimed at consumers, the market will begin to ask, “What is good enough?”

Consumer-oriented blood glucose meters for diabetics are not as accurate as those designed for use in hospitals –but they are faster, far easier to use, and the newest designs do not require a fingerstick. Instead, they are read from a sensor stuck to the skin. Some newer hearing aids can be adjusted with a smartphone app, sparing the patient a visit to the audiologist.

The Holy Grail of consumer-focused medical devices might be this: an implantable device that will capture data on all critical physiological parameters and transmit warnings to the patient’s physician when something is out of line, or, in a real emergency, summon an ambulance. Smartphones can already broadcast locations to emergency medical services, adding the capability to transmit the patient’s physiological data.

This means that paramedics would arrive knowing what is wrong (heart attack, trouble breathing, severe blood loss) rather than having to assess the situation from a standstill. Of course, if the machine malfunctions or is hacked, it could send the wrong data to paramedics. Those dangers do exist and are very real. The hope for medical professionals is that we will find solutions to these problems so that medical devices can be counted on for accuracy and are oblivious to hackers.

Before we get to that place, we will need to find ways to ensure that our systems and medical devices are much more secure than they are at present, or we will widen the possibilities for disasters.

What’s PhishPoint?

Phishing attacks are attempts to get e-mail recipients to provide sensitive information that can be used by the sender, generally presented as the authority of some account or business. They request that recipients provide information that could be misused for some type of illegal practical gain of the sender. An example of this would be a fake email from PayPal requesting that the reader verify their bank information to address some kind of update or security risk. These phony requests will result in the fraudulent use of the user’s info.

SharePoint or PhishPoint attacks are a specific kind of phishing attack that involves SharePoint users being targeted by hackers using malware to misuse information, or otherwise induce undesirable consequences to unsuspecting and vulnerable users. PhishPoint attacks are not unique in that they still involve the basic attempts of hackers to deceive the consumer. They are designed to make someone believe that the sender is a representative of a viable organization. They pretend to be approaching the consumer for valid and honest reasons. They are intended to seem genuine.

PhishPoint attacks target SharePoint users and OneDrive accounts in an attempt to get vital personal information from the user. If the recipient clicks on the bad link, they open the door to malicious software or malware that steals the user’s information. The user’s system is infiltrated through malicious HTML and URLs that can steal banking information or spread malware as described.

Victims of this form of attack may also experience an impersonation of a standard access request to business documents stored within OneDrive accounts. These may then be stolen through hacking codes. Sometimes access is made possible through a fake Office 365 login redirection.

What Are Examples Of Vulnerabilities And Demands?

Illegal logins have been reported through this form of attack in increasing numbers in recent times, as hackers continue to find new ways to penetrate the best security efforts at Microsoft. Secant Technologies explained that business documents used in OneDrive should be protected by a combination of software and general best practices in addressing third-party or spam email requests. Users should be skeptical of redirections to login screens that have any unusual or seemingly unofficial characteristics. It takes a keen eye to spot them.

Although firewalls and antivirus software may fully recognize and detect phishing scams, they are simply not enough to stop phishing scams from being successful. A new report shows that users are the weak link when it comes to internet security. A careless employee may click on an email attachment that downloads a destructive virus or ransomware. This will cause chaos in any organization. Eventually, companies pay out thousands of dollars to cyber thieves.

Cloud or email security can do little to eliminate phishing scams; it takes educating users on what to look for. While senders should be able to recognize spam or otherwise unofficial emails, they simply get busy and don’t pay enough attention.

PhishPoint campaigns of this nature may be detected and blocked within a matter of days or even hours, but any transmission of sensitive information during this time can still result in major consequences to individual users or the entire organization that they represent.

According to Security Affairs, approximately 10% of office users were affected by attempts to induce a PhishPoint attack within the two weeks of observation included in their assessment. This showed the extent that hackers are able to reach out to users in mass campaigns. While security developments such as ATP and Safe Links have been improved to reduce vulnerabilities, the basic nature of these attacks makes them dangerous. Many aspects of general security are left up to the individual user.

Office 365 currently involves yearly subscriptions with packages that can be upgraded to include ATP, Safe Links, and other security features. These will reduce vulnerabilities and increase security to avoid many forms of hacking, but cannot eliminate all forms of attack.

Office 365 security measures currently are capable of scanning links or URLs included in HTML code or the bodies of emails. They attempt to match recognized threats that have been added to blacklists, but they cannot prevent users from carelessly clicking on a malicious link.

Using baseStriker attack techniques, malicious links can be disguised. This technology is able to split a URL so that security software does not detect it as being malicious.

According to Avanan, hackers have been increasingly taking advantage of SharePoint files in phishing campaigns. Advanced security such as ATP and Safe Links can be beneficial but other layers of security protection are recommended. Office 365 contains excellent online security protection, but ccybercriminals consistently search for ways to bypass it.

Secant Technologies provides more information regarding common practices and recommendations for overall safety or protection from phishing campaigns.

What’s The Bottom Line? What Should My Business Do?

• Learn more about the basic nature of phishing campaigns and protection.
• Use email addresses with the best protection.
• Install the strong protection features and update or upgrade as is determined most beneficial.
• Regularly train employees on how to spot phony emails and phishing campaigns.
• Hire IT consultants to audit your network and computing resources and recommend improvements.

 

California is known for being on the cutting edge of most things, and consumer privacy is one of them. Scheduled to take effect in 2020, the California Consumer Privacy Act gives consumers broader control over how their personal information is used. This was developed in part due to ongoing security breaches that have recently escalated. The new privacy laws in California include disclosures to consumers about how their personal information is collected, stored, transmitted, and shared. The new laws also outline the sharing and selling of certain information without the individuals’ knowledge or consent.

After massive data breaches, such as the Experian beach, consumers were rightfully angry. As outrage grew, it became apparent that changes needed to be made. Private citizens deserved protection. The industry fought back, as the implementation of new privacy regulations was seen as a hardship to companies. This was why the law was delayed. It allowed a period for businesses to organize and develop policies and procedures that would ensure they were compliant by the deadline. Few outside the legal community and the California business community understand what the California Consumer Privacy Policy is, and how it may affect them.

What Does the Law Cover?

There are several aspects that fall under the category of one’s personal information. Many people would immediately realize that their name, address, and phone number would be among those items. They would also think of their social security number, driver’s license, and/or state identification number.

With a bit more consideration, they might realize personal information includes commercial information like records of their personal property. It covers biometric information, which includes fingerprints retinal scans, and DNA. Under the new law, it also covers things like your Internet use and browsing activity history.

Protected aspects even include more obscure personal information like the sound of your voice and thermal information. How this is to be implemented, and even what one’s thermal information specifically is, will be defined by the Attorney General.

What Rights Are Provided to Individuals?

When the new law takes effect, there are several privacy rights that will be guaranteed to the citizens of California of which they had been hitherto deprived. For example, in many companies, it is commonplace to collect the personal data, often relating to consumer purchase patterns, and sell that information to other companies. Under the new law, the consumer has the right to opt out of having their information used in that way. The primary rights provided by California Consumer Privacy Policy are the following:

• The right to transparency of who is collecting their personal information and with whom they are sharing it.
• The right to demand the information.
• The right to have the information deleted.

In many cases, if a company fails to comply, the consumer has the right to bring a lawsuit. This is something that was not available to consumers before.

How Will This Affect Businesses?

When first conceived, there were many industry concerns as to how this would affect their ability to actually conduct their businesses. These were primarily raised by smaller companies. To relieve their anxieties, and reduce their disapproval, several modifications were installed. These ensure that larger California businesses receive the brunt of the impact.

There were three “thresholds” that are included. If any one of these three are met, the law applies and the company has to comply to data collection regulations:

• The company has an annual gross income that is over $25 million.
• The company annually buys or receives (for business purposes) the information of 50,000 or more consumers, whether personally or from their household devices, i.e., online use.
• The company receives more than 50-percent of their annual revenue from selling personal information.

If any one of those thresholds is met, even by small companies, the business is subject to the law. Additionally, it impacts companies that are not actually based in California, but meet one of those thresholds while doing business in the state.

Will California Lead the Way to Privacy Policy Changes?

There is speculation that, since California often leads the way in policy changes, perhaps other states will begin to implement their own progressive privacy laws. Although it is unlikely to occur right away, an increasing number of areas may begin to see its merits for consumers. They will also note the minimal, if any, impact it has on most companies.

Additionally, as more states develop their own new set of standards, there is likely to be a push for unification. Federal guidelines emulating California’s privacy policy may be put into effect. This would make compliance, especially among companies with interests in multiple states, much easier to achieve.

In Conclusion

Currently, California businesses are required to at least have a privacy policy that includes data collection and information regulations. They must also maintain reasonable security for the personal information of consumers. These include efforts to avoid breaches, but requirements to notify individuals of breaches within a certain length of time when social security numbers, banking, and credit card information have been stolen by cyber thieves.

The new law will clarify, expand, and enhance these regulations. Perhaps, in time, these safeguards will be in place throughout the United States. Until then, it’s important for all individuals to do their best to protect their private information from cyber criminals.

What Is Instagram And How Is It Vulnerable?

Instagram is a recently created social media site that allows users to share images and videos. It is owned by the same soul that owns Facebook, Mark Zuckerberg. Originally created in the partnership of Kevin Systrom and Mike Krieger, and officially launched in 2010, it first appeared on iOS before its increasing popularity brought it to Android in 2012 and Windows in 2016. Its features include editing filters, messaging, location display, tag browsing in searchers, content ‘liking,’ and trend viewing.

Last year, the service reported that they had 800 million users, only five years after being purchased by Facebook. Bought for $1 billion, 40 billion people all over the world have been uploading images for years. While it is generally considered a beneficial and popular social media app, the software has been targeted by critics for several reasons:

• Changes to interface features and use policy
• The nature of censorship used
• The ability for users to upload content that’s illegal or inappropriate.

Many aspects of the service are potentially vulnerable. Users have reported that their passwords were hacked. Google searches currently display websites instructing users how to hack passwords in the first few pages of search results. Hacked accounts can potentially lead to a wide range of problems, which may include social inappropriateness, crime, businesses negatively impacted, and more.

What Examples Are There Of Recent Account Hack Risks?

Security professionals believe that Instagram account users should better understand the specific security risks related to the use of this software. Many people sign up each day with no understanding of the various ways hackers can get into their account and use it for personal gain. Of course, Instagram advises users to create strong passwords. This is the first and most important step to prevent hackers from getting into your Instagram account.

Below are a few tips on creating strong passwords:

This: 378jsoTTkm84 NOT This: password1234

The password on the right would be cracked by hackers in less than one second. Here’s a website where you can check the strength of your passwords to see if they are good enough to fool hackers.

Guess how long it would take to Bruteforce the password on the left? 33 centuries (Quite a long time). Below are a few more to try in the password checker:

Account123: This password would be bruteforced in 21 minutes.

Home1234: 5 minutes

Car2233: 20 hours (better)

Many people use their own name or their pet’s name with a series of numbers after it. These are usually very easy to crack as well.

Charles1234: 3 minutes to crack

Rover2323: 46 minutes (woof-woof!)

Carol3434: 4 minutes

Spot8888: 18 minutes

Two-Step Authentication

Two-step authentication is one of the best and simplest ways to provide your account with the high level of security it requires. You can go a step further and use biometric authentication. This solution uses your fingerprint and/or photo of your iris as a password to your account. New ways to protect users from hackers are constantly being created.

Getting Lock Out

Some users have been locked out of their accounts when hackers took control of them. This can be scary and infuriating. The Sun reported on an ‘epidemic’ hacking of Instagram that occurred when hackers in Russia took over many popular accounts, then changed the names and photos. Some users reported that it took them weeks to get their accounts back. They said that Instagram wasn’t very helpful so they had to do a lot of the work themselves.

Despite improvements in security, hackers have increasingly been able to break into all types of software programs, social media platforms, email accounts, and even company databases There seems to be nowhere that hackers can’t go if they want to. They apparently have the tools, resources and backing to focus all their efforts on hacking day in and day out.

Some of these hackers are sponsored by big governments like China and Russia. These countries have realized how much money there is in hacking and they seem to have no conscience about committing this crime. One good ransomware attack against your company could net thieves $30,000 or $40,000. Most people will pay the ransom to get their files back, though this doesn’t always ensure that you will.

Instagram Security Improves

Instagram security has been improving in a number of ways. They are now being upfront in the media about the hacking experiences their customers are enduring. They have stated that they will continue to dedicate themselves to addressing all reports of hacks. With each one, they will:

• Record all the details of what happened
• Examine the relevant security aspects
• Get the customer’s account restored as quickly as possible
• Improve the relevant software through updates
• Make or suggest any other improvements that could prevent the breach from occurring again

Mashable Gets Hacked Too

In a recent article, Mashable explained that some of their users were having the same experiences as those on Instagram. Hackers would break in, change the name on the account, change the photos and pretty much just take it over. Even contact information and profile image were changed, leaving account holders to scratch their heads. It’s a story being told more and more often.

“It’s embarrassing and frustrating to feel so vulnerable,” said one Mashable patron.

How Could My Account Be Hacked And What Resources Exist For Security?

Users should be aware that accounts can be hacked by:

• A forgotten password hack
• Coding
• Phishing
• CheatDroid
• A range of third-party applications

Conclusion

UGTechMag is a good source of online guides and tips available to help protect users. It’s best for Instagram users to learn all they can about how to keep their account secure. Today, it takes a proactive approach. All over the world, hackers are working non-stop to find ways to hack into your computer, your network, your social media accounts, your email … whatever they can do to find personal information about you and use this to exploit you – that’s what they’ll do. That puts each of us in the position of having to remain vigilant and proactive. We must each do everything possible to protect ourselves from cyber thieves.