The increasingly digitalized world we live in has a lot of benefits in business and in relationships, but with it also comes a whole new host of problems, including a rise in API data breaches.

A number of high-profile companies have been affected by API data breaches in recent years, allowing other businesses to learn from their mistakes in regard to cyber attack prevention. It can be difficult to regain public trust once a breach has occurred, not to mention the legal ramifications of not carefully storing your users’ information properly. Performing a vulnerability test on your system can help identify areas of weakness.

Given the vast variety and differences between potential attacks today, there is no easy solution to data breaches, and the right approach to prevention can depend on numerous factors. API security, in itself, is complex, and before you can come up with a good game plan, you must understand what you’re up against. While today’s cyber attackers are finding new ways to infiltrate networks all over the globe, there are a few common attacks you’ll need to keep an eye out for. Familiarizing yourself with these will help you form an effective plan for prevention.

What Are Some Different Types Of Data Breaches?

Data breaches can be the result of a variety of different attacks. Three of the most common include man-in-the-middle attacks, session cookie tampering, and distributed denial of service attacks. Each of these is unique in the way it is conducted, and which type of information may be at stake. Here, we’ll break down what these are and how you can shield against them.

Man-In-The-Middle Attacks

Man-in-the-middle attacks are common in today’s cyber world. In this scenario, there is the victim, the system they are interacting with, and the “man in the middle”, which refers to a person attempting to intercept a victim’s data. In order for this cyber breach to be successful, the victim must not know about the man in the middle. Some tactics man-in-the-middle attacks utilize include IP spoofing, DNS spoofing, Email hijacking, HTTPS spoofing, Wi-Fi eavesdropping, and stealing browser cookies.

The typical MITM attack requires that the attackers gain access to a poorly secured Wi-Fi router, which is commonplace in public areas that offer free Wi-Fi hotspots for guests. This may also be the case in a person’s home, where a Wi-Fi network may not require a password. Once attackers detect vulnerability in a network, they can intercept a victim’s data using different tools, then insert these tools accordingly to gain access to the different sites a user visits. Once the data is intercepted, the attacker will unencrypt the data to gain access to protected information.

Session Cookie Tampering

Cooking poisoning and cookie tampering are used to describe an attack where cookies, or pieces of data stored in a particular user’s browser to track information from websites, are modified to bypass security in hopes of infiltrating a network. A cyber attacker, who is using cookie tampering, might gain access to a user’s account via false information, such as tricking a particular server into accepting the new version of the intercepted cookie once it’s been modified.

It can be fairly easy to carry out cookie tampering if a web developer of the application didn’t carefully store information prior to the attempted attack. This is especially true when key parameters have been labeled and are therefore simple to identify. A strong web application firewall can help prevent cookie tampering by detecting a cookie’s “set” commands and only accepting them if the information held within is verified.

Distributed Denial Of Service Attacks

DDos, or distributed denial-of-service attacks, are also common in today’s digital realm. This is a type of attack in which more than one compromised system attacks a target, causing the denial of service for other users. This type of attack has been utilized by a variety of groups, including individual hackers, government agencies, and even organized crime rings.

Post-Assessment Tips

Once an assessment of your network and potential vulnerabilities have been conducted, you should take the appropriate steps to alleviate the issues found therein.

To begin, start with the basics. Maintaining a solid inventory of your APIs is the first step you should take to ensure you’re protected against attacks in the future. Once you’ve done this, you can begin to develop and implement an effective set of security policies, which can include authentication and authorization, traffic management, and training on how to detect content threats.

You might even consider an API management gateway to up the ante on protection. It is also a wise idea to evaluate your existing platform vendors. Often, third-party vendors represent a weak security link. Remove sensitive data in your API URL path as well.

As you can see, network security requires a layered approach. There are certain techniques that work better for some businesses. A great IT specialist can help you find the best combination to provide your business with a good line of defense against the wide range of cyber threats.

A recent breach left the protected health information (PHI) of more than 19,000 patients in Orlando, Florida completely exposed online for two months before it was detected. What is more concerning, however, is why it took the group of clinics involved five months to report the breach to the Department of Health and Human Services, and six months to alert the affected patients.

How the Breach Happened

The Orlando Orthopaedic Center in Florida hired a 3rd party vendor to handle their transcriptions, as do many clinics and health centers. When the vendor was updating their software during December 2017, they made a serious mistake that misconfigured access to one of their databases. That configuration issue left their server open to the public and accessible over the internet. Anyone who desired could access the patient data stored on that server, and they could do so without any authorization needed. It was two months before the mistake was discovered.

Impact of the Breach

This breach left 19,101 patient records seriously exposed, which was not only a major HIPAA violation, but a situation that could easily result in identity theft. Once the breach was recognized, investigators discovered that a great deal of information had inadvertently been made publicly available. This included names, insurance details, dates of birth, medical treatments, employers, and, in a limited number of cases, social security numbers. Fortunately, no financial information (debit card numbers, credit card numbers, bank account numbers, or other financial records) were exposed during the breach.

All patients that received treatment from any Orlando Orthopaedic clinic prior to January 2018 would have been affected by the breach. Investigators were not able to determine if anyone had gained access to what should have been PHI, and none of the affected individuals have, as of yet, reported identity theft or misuse of their PHI. However, the investigators were still unable to rule out the possibility of information theft or unauthorized access to patient information.

Aftermath of the Breach

Orlando Orthopaedic did not find out about the breach until February 2018, two months after it occurred. However, it would be almost six months before the affected patients were notified by mail. The clinics involved have yet to provide a reason for the delay in notification.

As a result of the security breach, Orlando Orthopaedic Center employees are receiving cybersecurity training even though they were not directly responsible for the problem. In addition, the affected clinics are taking additional security measures to ensure that PHI stored both on their own servers, as well as accessible through endpoints, are all secured.

The transcription vendor responsible for the breach has offered all the affected patients one year of free credit monitoring and identity theft protection and restoration services. The vendor has also made changes to their security to ensure that information on their servers remains protected from prying eyes.

In addition, all patients involved have been advised to closely monitor their insurance Explanation of Benefits statements, as well as their other accounts for any signs that their PHI is being used fraudulently. In the event that a patient sees unusual activity, they should notify their insurance provider immediately.

Who Is Responsible?

Even if a 3^rd party vendor or business partner is responsible for causing the breach, the healthcare provider is still held legally responsible. In this case, Orlando Orthopaedic is the responsible party even though it was the security of the vendor that was lax, a situation over which they had no direct control. This reinforces the fact that healthcare providers must be thorough in vetting potential vendors.

Concerns about Delays

As already mentioned, it took Orlando Orthopaedic six months to notify their patients of the PHI breach and five months to notify the Department of Health and Human Services Office of Civil Rights (OCR). The OCR should have been notified 60 days after discovery of the breach, according to HIPAA guidelines, not five months. The same deadline applies to notifying patients.

No doubt a fine is to be expected. Presence Health delayed reporting a breach to the affected patients and OCR 40 days past the 60-day deadline. Their fine amounted to $475,000, and was the first case of a HIPAA breach fine for the untimely reporting of a breach of unsecured PHI.

Conclusion

Even if the breach of PHI is caused by the carelessness of a business partner (including 3rd party vendors), the healthcare clinic is still the entity held legally responsible. There is a 60-day deadline for notifying OCR and the affected patients, and failure to meet this deadline will most likely result in a punitive fine. Failure to notify the patients right away can damage the reputation of the healthcare provider. Even offers of credit monitoring and identity theft restoration cannot undo the negative effects of the breach.

Girl Scouts of the USA recently announced the addition of 30 new badges now available for Girl Scouts aged 5-18. The new badges were created to address a number of today’s most important social issues, including environmental advocacy, cybersecurity, robotics, computer science, and space exploration, among others.

Girl Scouts of the USA has long served as a means for young girls to acquire life experience and develop a number of important soft skills, which include perseverance and confidence. The benefits of participating in Girl Scouts are proven. According to one study, Girl Scouts are over twice as likely to demonstrate community problem-solving skills compared to those who do not participate.

The Cybersecurity badge, funded by Palo Alto Networks, will introduce the girls to a variety of age-appropriate internet safety and privacy principles. They will first learn how the internet works, then learn techniques to spot, report, and further investigate cybercrime.

Cybercrime is on the rise, and the Girl Scouts are in a unique position to influence young girls all over the nation. According to the FBI’s 2017 Internet Crime Report, cybercrime resulted in more than 300,000 complaints last year with losses reaching upwards of $1.4 billion. Raising awareness about cybercrime is just one step toward combatting the problem, and with the help of their sponsors, the Girl Scouts are on their way toward arming a new generation of young people with the tools they’ll need to make a difference in internet security.

New Leadership Journeys

In addition to the cybersecurity badge, the new badges include two additional Girl Scout Leadership Journeys to help girls on their path to growth. Girl Scout Leadership Journeys involve hands-on activities to help girls utilize their new skills to tackle problems within their respective communities. These programs prepare girls to achieve success in fields like computer science, robotics, and cybersecurity.

Funded by Raytheon, “Think Like a Programmer” offers girls a valuable foundation in computational thinking, which will serve as the basis for next year’s Cyber Challenge, a first for the organization. The Think Like an Engineer Journey will help girls further understand how engineers approach and solve problems.

Phase one of the national computer science program for middle school and high school-aged girls has been run as a pilot in a small group of geographies since earlier this year. The program is expected to expand nationwide in the fall of this year, with select groups of Girl Scout councils piloting the upcoming Cyber Challenge next year in 2019.

Raytheon & The Girl Scouts: A Partnership

Raytheon Company, headquartered in Waltham, Massachusetts, is a leader in technology and innovation in civil government, defense, and cybersecurity solutions. With a history spanning nearly a century, Raytheon operates in more than 80 countries. The company has a long history of partnership with several Girl Scout Councils. It is the inaugural sponsor of the Girl Scouts’ computational thinking program, which will expose the girls to age-appropriate content across areas such as science, engineering, technology, and math.

Although women made up half of the current college-educated workforce, only 29% work in occupations dealing with science and engineering. The new partnership with Raytheon seeks to increase the number of female STEM leaders by encouraging girls to explore an interest in these fields early on. In fact, the Girl Scout Research Institute, GSRI, compiled a report, the Generation STEM report, which determined that 74% of teen girls demonstrate an interest in STEM fields; however, this interest fades as they get older and move on through middle school and high school. The decreased interest is thought to be the result of a lack of exposure to STEM fields in ways that pique their further interest and inspire ambition.

In 2017, the Millennial Cyber Security Survey, conducted by the National Cyber Security Alliance, NSCA, found that the majority of female Millennials said that more exposure to STEM information, training, and classes during their middle school and high school years would have had an impact on their interest in cybersecurity careers. These new badges will strive to empower young girls to achieve their goals across all industries, particularly those currently dominated by males.

History Of Girl Scouts

The Girl Scouts of the US have been making a difference across the nation for nearly a century. The first Girl Scout troop was established in 1912 in Savannah, Georgia by Juliette Gordon “Daisy” Low. Since then, the organization has grown exponentially, culminating into a membership of more than 2.6 million. Today, they continue to operate under the principles of courage, character, and confidence in hopes of making the world a better place.

 

How Can I Keep My Business Safe From an Email Scam?

Recently, small business owner, Phoebe Bell of Sage and Clare, a popular homeware designer business in Australia, opened up about her company falling prey to email scammers. Sage and Clare lost $10,000 from the hi-tech thieves who Bell says were most likely tracking the company’s emails for months.

As they have done countless times before, Sage and Clare placed a routine stock order with an unnamed supplier. In fact, Bell handled the order herself, emailing back and forth with the supplier about the order for several weeks.

In the midst of negotiating the order, the supplier informed Bell they had a new bank account to pay the money into for the order. Again, this was nothing out of the ordinary, Bell says because suppliers often change bank accounts.

After paying the $10,000 into the supplier’s “new account,” Sage and Clare discovered that their business was the victim of a scam, where a third party posed as the initial supplier. The scammers most likely hacked emails and read through the correspondence between Sage and Clare and the supplier, intercepted the specifics, and then redirected the payment funds.

Fortunately for Sage and Clare, they have the capital to recover from this loss. For some small businesses, losing $10,000 would cripple them.

Ms. Bell said that she was both embarrassed and distressed that this sort of thing could happen to her. She thought that she was smart enough to spot a dirty trick like this. When she opened up about the incident online, she found that many others had gone through a similar experience. She says that if someone had broken into her shop and stolen $10,000, the local police would come out and do a full investigation. But since the incident happened online, there’s nothing the police can do. She did report the theft to her bank, the Australian Federal Police, and the Australian Cybercrime Reporting Network (ACORN).

How Can I Train My Team to Spot Hackers?

How can you keep your business safe from these types of email scams? What kind of safeguards can you put in place to ensure that your business does not fall prey to thieves prowling for businesses who practice naive online transactions?

5 Effective Tools to Keep Your Australian Business Safe from Hackers in 2018

Routinely Train Your Employees

Almost 90% of Cyber Attacks are Caused by an employee’s human error or an honest mistake, according to a cyber consultant, Willis Towers Watson. These circumstances are commonly a result of employees giving sensitive information to hackers who pretend to be clients in need of information.

Routinely scheduling an online security awareness training for all your team will keep your company updated and vigilant to fend off hackers.

 Improve Your Technology

Having anti-virus software in place to protect your company’s site from viruses and malware is the first step in good cybersecurity.

It is essential to have the software updated on a regular basis. We all get the update software notices, and it’s easy to ignore or delay the update to the next day, week or month. Make sure your IT department stays on top of all updates and patches. This will ensure that each computer is up-to-date.

Here are some questions to ask yourself and your team to ensure you are protected from viruses and malware:

• Do we have firewall protection?
• Are our passwords strong?
• Do we use two-factor authentication?

Being able to confidently answer these questions will give you peace of mind that you are doing your best to keep your business safe from cyber-attacks.

Keep a Tight Rein on Internet Access

This key step is often overlooked by employers but is so important. Your IT department can set up your computers so that they cannot access risky sites. Make sure that important company information can only be accessed by a chosen few.

Another good tip is to make it a practice to stay informed about current online data breach scams. Routinely making a habit of following a blog that reports the latest hacking news will help you stay vigilant.

 Don’t Keep Unnecessary Data

It isn’t necessary to store old data or customer information that is outdated or no longer useful for the company. Too often, though, companies don’t take the time to purge old records. Instead, they end up keeping information such as credit card numbers and other sensitive information in their system for customers who are long gone.

When the information is of no further use to your company, have a system in place where it is deleted. This will ensure that you avoid the risk of revealing unnecessary customer information if you are breached.

Adhere to a Phishing Awareness Checklist

Sticking to a protocol of routinely checking off safety practices will keep you aware of potential phishing attacks.

Here are some suggestions of important checklist questions you may want to include:

• Do you recognise who’s sending the email?

If not, hover your mouse over the “From:” field to check for the right domain (i.e., an email from Yum Dog Treats should have a domain name of yumdogtreats.com).

• Can you identify the sender’s email address?

Don’t open anything when their name is not matched up with the email address. If “Katie Jones” from “Yum Dog Treats” sends you an email, her email address should most likely say something like kjones@yumdogtreats.com, not kjones1989@gmail.com.

• Is there an attachment the sender wants you to open?

Be suspicious of all attachments, but especially ones that have two extensions (i.e., file.doc.scr) or small files that are zipped.

• Is there a link from the sender?

If so, does the URL convey the message of the email? You can simply hover your mouse over the link to check the URL to read it.

Conclusion

With the current situation, cyber-attacks are increasing dramatically in Australia and around the world. No one is safe. It’s every person’s duty to remain informed and aware of these scams. Ms. Bell learned her lesson the hard way and it cost her $10,000 to do so. You may not be financially able to learn such an expensive lesson.

As providers are all too well aware, their payments from Medicare are affected by their score in the Merit-based Incentive Payment System (MIPS). MIPS imposes a number of requirements; if these are not met, payments may be reduced or denied.

The MIPS requirements apply to all Medicare claims, even those whose performance is not necessarily affected by a MIPS constraint. Among these universal requirements is the meaningful use of electronic health records (EHRs). Within the EHR requirements, we have the promotion of interoperability with other EHR systems, and within that, we have the security requirements. Among the security requirements is an annual security risk assessment.

What Has Changed?

In the Federal Register of July 27, 2018, the Centers for Medicare and Medicaid Services (CMS) proposes that the current security risk assessment requirement in MIPS be replaced. The suggested replacement will be an attestation to the activities included in the security risk assessment standard that has been performed in the past MIPS year.

This essentially switches the scoring of the security risk requirement from the equivalent of a numeric grade to a pass/fail scoring system. A practice or institution passes if it has done the assessment; how well it has done on the assessment falls by the wayside. The requirements are stated in a bare-bones fashion in the Code of Federal Regulations at 45 CFR 164.308.

CMS states that their rationale is, in part, a result of the realization that a risk assessment is done well, or not at all.

What A Serious Risk Assessment Entails

The thinking behind this can be found in the Office of Civil Rights (OCR) newsletter for April 2018.  This newsletter distinguishes a gap analysis (“find the holes”) from a security risk assessment (“make sure there are no holes”). It is a highly useful guide to discerning the scope and the level of effort required for a serious risk assessment.

An article on the HHS website goes into greater detail explaining what is subject to the security rules and why:

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.

The guidance issues from OCR noted that the CFR requirements are divided into two categories: required and addressable.

The addressable requirements are not optional. Rather, if the approach specified in an addressable requirement is not feasible, the provider organization must develop an effective alternative to approach to achieve the same end and document this. The tendency to document-but-not-implement should be firmly resisted.

Did You Really Do A Risk Assessment?

Experts suggest that OCR has significantly underestimated the time required to do a serious risk assessment. Obviously, you have to look at hardware-associated risks. Are the BIOS files in your desktops and laptops updated? Has router firmware been updated?

You must take a hard look at software-associated risks as well. Are operating systems patched? You must strategically assess administrative risks: are you enforcing complex password requirements? Are you using biometric identifiers? Is data access truly on a need-to-know basis?

A Helicopter-Level View Is Not Adequate

The reader may protest that those concerns are nowhere to be found in the guidance. True. The point is that an adequate risk assessment will have revealed these as questions that need to be asked on a day-to-day operational basis. A risk assessment that is not dynamic misses all the critical points of vulnerability.

A risk assessment should point out any unnecessary risks and then offer a solid plan to eliminate them. It’s good to remember that the whole point of the endeavor is to make sure that the government (and all organizations) move toward better Internet and network security. With cyber breaches occurring on almost a daily basis, there’s every need to be more cautious about how we handle, store, and transmit Big Data.

The current cost of a data breach has reached between $1.3 million and $3.5 million. The number one most sought-after data that hackers are vying for is healthcare information. On the Dark Web, 30,000 up-to-date healthcare records will fetch a pretty price.

Conclusion

Under this proposed rule change, you will no longer be given a percent of compliance score on your risk assessment. You will simply be in or out of compliance. The upside is less administrative hassle; all you have to do is carry out the activities and attest that you did this. The downside is that this may lead to a relaxation of vigilance at a time when threats are constantly increasing.

 

 

Azure Stack has commanded plenty of loyal followers since its release, and it’s easy to see why. The platform provides many of the same great benefits users found in Microsoft’s Azure. Chief among them is the impact on multi-cloud environments. Building and deploying applications have become easier than ever before, and users are now able to enjoy the same familiar, tried-and-true tools to streamline their web operations. These factors plus a wide variety of others combine to create a solid case for Azure Stack.

Before you decide if a service like Azure Stack is right for your company’s IT structure, it’s important to know what benefits you’re dealing with. Knowing the basics of Azure Stack and its usage capabilities can help you determine whether it makes sense for your unique business needs.

What is Azure Stack?

It’s an extension of Microsoft’s Azure, and helps companies combine cloud computing with on-premises environments. Consistency is key with this type of platform, as it allows companies to deliver Azure’s unique services from their own unique datacenter for consistent hybrid cloud deployments.

What Are Some Benefits of Azure Stack?

There are many benefits associated with Azure Stack. For instance, users can apply Azure web and mobile services, architectures, and containers to extend legacy applications through the use of consistent processes in the cloud and on-prem. They can also build applications with a consistent set of tools and services, then deploy those applications to the appropriate location by writing code just once.

It allows companies the flexibility to seamlessly transition workloads between private and public environments, bringing a whole new world of potential for those who have long hoped for a turnkey solution to deploying applications. While deploying new cloud applications once took hours or even days, with Azure Stack, users can deploy them in mere minutes with the use of prebuilt solutions from Azure’s Marketplace. Add-on products, such as Commvault Hyperscale, are also integrated easily with Azure Stack.

One other perk users find in Azure Stack is its payment structure. Users pay only for the services they actually use, which can also be found in Azure.

How Can Azure Stack Be Useful For Federal Agencies And Financial Service Providers?

While Azure Stack is beneficial to companies across diverse industries, its capabilities are particularly helpful in the federal agency and financial services realms. Nearly all industries must comply with some sort of financial regulations, required either by internal policies or by customers. Security-wise Azure Stack satisfies requirements that dictate sensitive data must be stored in one tightly managed location.

Among the many benefits of Azure Stack for federal agencies is the ability to provide edge and disconnected computing for remote users, such as military members in a combat zone or other areas where access to the cloud may be difficult to come by. The ability to process big data at the edge and have this data sent to one central location is highly useful to federal agencies.

Additionally, Azure Stack allows large agencies to build out private clouds to serve their internal teams, which provides specialized services both cost-effectively and securely. Azure Stack allows federal customers to remain compliant with governing regulations that call for the security of privileged and classified information, which may later be moved to a public cloud once those security requirements expire.

Adequate security is vital in the financial world, and today’s top financial organizations simply can’t afford a breach. Large financial service providers have the opportunity to host Azure Stack-as-a-service to other business units, resulting in a private cloud that becomes a consumable service. With this, business units are able to avoid the security issues that come from operating outside of a private cloud. Financial service providers are also able to now scale quickly with Azure Stack, given their ability to transition to the public cloud during times of heavy traffic.

What Are Some Azure Stack Storage Options?

When it comes to persistent storage while using Azure, developers are faced with three basic options:

1. Tables
2. Blobs
3. SQL Databases

The latter is a database-as-a-service that offers a variety of the same features found in SQL servers, but without the overhead of one key figure: database administration.

Tables have the capabilities to support upwards of 200TB of basic structured data. This may be a good option for those who prefer a NoSQL database, similar to that of MongoDB, but without the need to manage a data store service.

There is also the option of Blobs, short for binary large objects, which are unstructured storage objects built for the storage of binary data. It can be accessed through API commands or REST, and has about the same storage capacity as Tables.

Wrap Up

All in all, Azure Stack has proven well worth its weight in terms of convenience for developers. If its current state is any indication, there should be plenty of exciting new features to look forward to in the years to come.