November 28, 2023
Cyberattack on US hospital owner diverts ambulances from emergency rooms in multiple states
Washington CNN  —  A cyberattack that diverted ambulances from hospitals in East Texas on Thanksgiving Day is more widespread than previously known and has also forced hospitals in New Jersey, New Mexico and Oklahoma to reroute ambulances, hospital representatives told CNN on Monday. All of the affected hospitals are owned, or partly owned, by Ardent Health Services, a Tennessee-based company that owns more than two dozen hospitals in at least five states. Among the hospitals currently unable to accept ambulances are a 263-bed hospital in downtown Albuquerque, New Mexico; a 365-bed hospital in Montclair, New Jersey; and a network of several hospitals in East Texas that serve thousands of patients a year. It’s just the latest example of how the scourge of ransomware – which locks computers so hackers can demand a fee – has disrupted services at health care providers throughout the coronavirus pandemic. In a statement Monday, Ardent Health Services confirmed that a ransomware attack caused the disruption and that its facilities were “diverting some emergency room patients to other area hospitals until systems are back online.” Hospital facilities were also forced to reschedule some non-emergency surgeries. Patient care “continues to be delivered safely and effectively in its hospitals, emergency rooms, and clinics,” Ardent Health said on Monday. A nurse working at one of the affected New Jersey hospitals told CNN that staff rushed “to print out as much patient information as we could” as it became clear that the hospital was shutting down networks because of the hacking incident. “We are doing everything on paper,” said the nurse, who spoke on condition of anonymity because they were not authorized to speak to reporters. “Everything becomes a lot slower,” the nurse said, referring to the reliance on paper, rather than computers, to track things like lab work for patients. “We drill on that a few times a year, but it still sucks.” Chiara Marababol, a spokesperson for two New Jersey hospitals – Mountainside Medical Center and Pascack Valley Medical Center – affected by the hack, said the hospitals continue to care for patients in emergency rooms. “[H]owever, we have asked our local EMS systems to temporarily divert patients in need of emergency care to other area facilities while we address our system issues,” Marababol told CNN in an email. Officials with the federal US Cybersecurity and Infrastructure Security Agency (CISA) reached out to Ardent Health Services on November 22, the day before Thanksgiving, to warn the company of malicious cyber activity affecting its computer systems, a person familiar with the matter told CNN. Ardent Health spokesperson Will Roberts confirmed CISA officials contacted the company “to make us aware of information about suspicious activity in our system.” But that was after Ardent Health detected “an anomaly” on its computer systems on November 20 and “engaged additional external cybersecurity resources to investigate,” Roberts told CNN. On Thanksgiving Day, Ardent Health realized it was ransomware. A CISA spokesperson referred questions about the communications to Ardent Health. The outreach to Ardent Health was part of a program CISA began this year to try to warn organizations in critical industries that they risk falling victim to ransomware attacks unless they take defensive measures. CISA officials claim to have thwarted numerous ransomware attacks through the program. The broad fallout from the Ardent Health hack shows how cyberattacks that hit a parent company or key service provider can have cascading impacts on critical infrastructure operators such as hospitals. Cybercriminals, often based in Eastern Europe or Russia, have throughout the coronavirus pandemic repeatedly disrupted healthcare organizations across the US, locking computers and demanding a ransom. Many of the hacks have hit smaller health clinics that are ill-equipped to deal with the threat. And in the last nine months alone, other cyber attacks have resulted in ambulances being diverted from hospitals in Connecticut, Florida, Idaho and Pennsylvania. A 2021 study by CISA specialists found that a ransomware attack can hinder patient care and strain resources at a hospital for weeks, if not months.
November 23, 2023
Offline backups are a key part of a ransomware protection plan - TechTarget
Ransomware is a major threat today, and it can be particularly harmful when it targets data backups. Offline backups are one method IT administrators lean on to protect against ransomware. Offline backups are stored on an isolated storage infrastructure that is disconnected from production applications and infrastructure, as well as from the primary backup environment. The result is an air-gapped backup copy that businesses can use for recovery in the event that the primary backup copy becomes compromised. Historically, an offline backup environment would be a good fit for data that requires less frequent access, such as long-term retention data, and data that is less business-critical. However, the simultaneous rise of cyber attacks and introduction of data privacy legislation have led to an increase in offline backups for mission-critical, frequently accessed data. While offline backup ransomware protection is an effective option, it is a complex process. Offline backups play a role in ransomware protection, and there are numerous paths to get there. Before deciding to use offline backups for ransomware protection, organizations must consider some key factors. The backup method's practicality, cost, effectiveness and ability to meet recovery objectives are critical to keep in mind. The longstanding approach to creating an offline backup environment is shipping backup copies to an off-site, disconnected tape storage location. Offline backup can be a complex and slow process The longstanding approach to creating an offline backup environment is shipping backup copies to an off-site, disconnected tape storage location. The problem with this approach is that today's IT operations teams are understaffed and significantly strapped for time, particularly in the area of cybersecurity. Many simply do not have the cycles to deploy and manage yet another infrastructure -- especially considering that the isolated infrastructure will require manual software updates to avoid security vulnerabilities.Another backup environment to protect and pay for A potential pitfall of these alternatives is infiltration of the isolated environment. As a result, the environment must be closely audited for network isolation, control over when the network connection is open, and role-based access to and control over the network and vault environment. In addition, IT operations staff must look for an option that has data immutability and indelibility. Immutability renders the backup copy read-only, so no one can make unapproved changes to the data. Indelibility inhibits the backup copy from being deleted before the conclusion of a dedicated hold period. These safeguards help protect against data exfiltration and corruption in the event that a malicious actor is able to access the isolated environment.Be aware of offline backup window and recovery time For any implementation, admins must consider the backup window. They must know how long it will take to complete the backups, as well as any potential lags or gaps between backup jobs. This fundamentally affects the business's ability to meet required recovery points. Also important to factor in is the required recovery time. Both the backup window and recovery time are largely dependent on the frequency and size of backups jobs, as well as how much data the organization backs up. VIDEO Can cloud backups be offline? New options are emerging that offer an operational isolation, such as hosting the data off site in the cloud or through a service provider. These methods require a network connection to production-facing portions of the environment in order to transfer the backup copy to the isolated environment. There are a few drawbacks to using the cloud for offline data backups. Since it is isolated, but not completely offline like tape libraries, the cloud is easier for a ransomware attack to reach. In addition, any cloud-hosted option is potentially subject to egress fees when data is recovered. This is important for IT operations staff to be aware of upfront because it is potentially a very expensive factor to overlook. Krista Macomber, senior analyst at Futurum Group, writes about data protection and management for TechTarget's Data Backup site. She previously worked at Storage Switzerland and led market intelligence initiatives for TechTarget.
October 09, 2023
Autonomous Fleets Are Almost Here. Are They Safe From Cyberattacks? | Opinion
As our society transforms into a more connected world, an essential component of this shift is the need for safe and secure driving experiences on our roads. The recent hacking of a Tesla in under two minutes by France security firm Synacktiv demonstrates how serious a concern this is—attackers were able to breach the cyber controls of the vehicle to carry out a number of malicious acts, including opening the trunk of the vehicle while in motion and accessing the infotainment system.As more connected and autonomous vehicles (CAVs) and electric vehicles (EVs) hit the market, it is clear that manufacturing speed is outpacing security measures. The cybersecurity of vehicles is often overlooked in the auto rollout, even though the connected nature of modern vehicles makes them susceptible to hacking and other cyber challenges.The cybersecurity of a vehicle is vital—without it, serious injuries or even fatalities can occur. Imagine the above Tesla scenario but worse—a hacker takes control over the car and locks the doors while speeding up the vehicle on a highway. The driver or passenger of the car then gets a notification on his mobile phone asking for a ransomware in bitcoins—otherwise the hacker will crash the vehicle into the side of the road.This is an extreme scenario, but such a Ransomware 2.0 incident is possible today. The big question is—Are we ready to enable incident management for such auto cyber challenges?Another complicated part of this challenge is that the cyber risk is carried by the owner or operator of either individual vehicles or perhaps an entire EV fleet. The fleet could be made up of cars, buses, or trucks, and the necessary cybersecurity controls must be in place to enable greater cyber hygiene of these vehicles. As EVs are computers on wheels, the potential for a distributed denial of service (DDoS) attack on multiple vehicles could disable an entire fleet of vehicles on our roads. Imagine hundreds of delivery or critical service vehicles out of service and those potential repercussions.Fleets also depend on other critical systems to work. An Idaho hospital cyberattack earlier this year, where ambulances were diverted to other hospitals, demonstrates just how important it is to secure the entire vehicle ecosystem and not just the vehicle itself. This attack also allows us to imagine how serious it would be if the reverse scenario was true—What if the ambulance fleet itself was rendered inoperable?If that's not enough, think about the fragile state of our current supply chain and all the issues it has faced since the pandemic. Now imagine if a cyberattack was responsible for an entire delivery fleet to stall. The supply chain and transportation infrastructure would be totally crippled, leading to major economic disruptions.It is important to highlight that these cyber challenges multiply manifold as trucking fleets move to autonomous trucks and lead to questions around legal liability in case of any cyber incident.Data collection cannot be overlooked either. CAV and EV data is rich in personally identifiable information (PII) and might also contain other sensitive information such as payment card information or commercial data (such as fleet tracking and performance). Data governance regulations need to be implemented to secure the transmission and storage of this data to ensure privacy and compliance to legal and contractual obligations.A close-up of a self-driving car.Smith Collection/Gado/Getty ImagesAlthough there are generic cybersecurity mandates in many countries, jurisdictions must legislate automotive cybersecurity specific legislations for cars operating on our roads. Countries are actively exploring the best ways to move forward with vehicle regulation—there has been emphasis on ensuring automotive manufacturers enable cybersecurity in all future models, however, with regard to operations of EVs, policies and best practices are still, slowly, being developed and legislated.One area where more focus is needed is from an owner/operator perspective, both for individual users and for fleet owners. As consumers, we are concerned about the safety features of our new vehicle, but we do not ask any questions about the cybersecurity level of the car. There is a need for user awareness of the ordinary consumer on the criticality of cybersecurity for the smooth operations of the modern vehicle.Fleet owners need to ensure they have effective cyber controls in place. They should have an asset inventory of all the software on their vehicles and ensure that they are aware of vulnerabilities and breaches for these software applications. Furthermore, they should carry out active cyber risk assessments for any third parties that develop vehicle software.Finally, they must carry out real-time cyber monitoring of the vehicles and ensure that incident management processes are in place to mitigate against any adverse cyber events. Only by proactively enabling this holistic cyber governance can these fleet owners survive in this brave new connected world.AJ Khan is the founder and CEO of Vehiqilla Inc and a Catalyst Industry Fellow at Rogers Cybersecure Catalyst, Toronto Metropolitan University's center for research, training, and innovation in cybersecurity.The views expressed in this article are the writer's own.
October 10, 2023
Q&A: Penetration Tester Shares Where to Make Healthcare Security Improvements
 Cybersecurity incidents continue to grab headlines this year, from the MOVEit file-transfer vulnerability to LockBit ransomware attacks.As the threat landscape has grown in recent years, healthcare organizations have increasingly felt its damaging impacts. In Germany, for instance, a 2020 ransomware attack on a hospital redirected a patient away from the nearest hospital, resulting in a fatal outcome.“Hospitals have historically been seen as out of scope for threat groups in the past,” says Anna Quinn, security analyst and penetration tester at Rapid7. “Ransomware as a Service is picking up. Threat groups are becoming much less discriminating about who they attack. We’re not safe in our bubble anymore.”Healthcare organizations must also prepare for more targeted attacks from nation-state actors and other politically motivated groups, she adds.What can healthcare organizations do to improve their cybersecurity strategies? One immediate step: Turn on multifactor authentication, which has also been recommended by the Cybersecurity and Infrastructure Security Agency during Cybersecurity Awareness Month. Rapid7’s 2023 Mid-Year Threat Review found that 39 percent of incidents observed by the company’s managed services team were from missing or careless MFA.Quinn spoke to HealthTech about the importance of network segmentation, how to take advantage of pen testing and how physical security is connected to cybersecurity.Click the banner to get the expertise you need to strengthen your ransomware protection. HEALTHTECH: What are areas of focus healthcare organizations can target immediately to bolster their security? What about areas that require long-term efforts?QUINN: For both the short and long term, asset inventory and management is going to be one of the most effective things that you can do as an organization to make sure that you are protected. It’s not just knowing what devices you have but knowing where the devices live, both physically and on the network; knowing how many you have; what operating systems or firmware they're running; and when they were last updated.This is an extensive project for a lot of hospitals. There’s a lot of gear shifting around all the time. All of this makes it incredibly tricky to track, and it makes asset inventory even more critical, because it can be so easy to lose track of what you have, and that can allow an attacker to potentially find untracked and unpatched devices and get further into the network.In the long term, I would suggest investing in strong network segmentation. As a security or network engineer entering a healthcare organization, you will often notice that the network doesn’t have a lot of strong segmentation, and in some cases you may inherit a network that requires a lot of updating. Unfortunately, there isn’t always the funding to support large-scale infrastructure revisions, which can really impact things long-term. It can be costly to get a network into a completely segmented and safe position. But that's one of the biggest contributors to making sure that you are going to be safe as an organization.Strong network segmentation can help mitigate the risks of any breaches that occur. With proper segmentation, for example, you can make sure that your dialysis machines are on their own network and segmented away from everything else. You can make sure that your lab equipment and similar devices are secured away, so that in the worst-case scenario, if you do get hit by ransomware, the ransomware will not deploy to those particular specific networks. That can save lives.DISCOVER: Answer your questions about identity-related vulnerabilities and segmentation.HEALTHTECH: Why should healthcare organizations conduct regular penetration testing? How should they approach pen testing? What are some common misconceptions?QUINN: Healthcare organizations should conduct regular pen testing to find and cut off any paths that an attacker might be able to find within their networks. More and more, it’s a prerequisite that we assume that a breach has already occurred in our organization, regardless of whether it was accomplished through phishing, an exploit or an insider threat. It becomes imperative that we address the network as though it has already been compromised and that we find out how an attacker could compromise further systems or cause damage to the environment through such access.One common misconception is that pen testing and vulnerability scanning are the same thing. The biggest differentiators that we have between pen testing and vulnerability scanning is that vulnerability scanning will find vulnerabilities within the network, but it won’t chain those together and create an attack path.Say that you have a server that has a known exploit against it: The pen tester could actually exploit that vulnerability, chain that with other discovered misconfigurations or vulnerabilities, and gain access to systems that you believed would be secured. Meanwhile, a vulnerability scan will simply tell you about that vulnerability. That’s why it's important to do pen testing: to see what additional compromise can happen should a system become compromised.It’s easy to review a vulnerability scan against our network and say that we’re all patched, we’re all up to date, we should be safe. But without that verification and manual testing, there could be additional vulnerabilities that an attacker can exploit to cause an extensive compromise of your environment. Active Directory in particular has quite a few misconfigurations and vulnerabilities that could lead to a compromise, and these don’t tend to be caught by the typical vulnerability scanner.Pen testers are there to help. Many businesses see preparing for a pen test as preparing to either succeed or fail as a security team. But that’s not the approach that’s most conducive to a good test. What we should be trying to accomplish in pen testing is to have a known party find these vulnerabilities for you. You want them to find all of your vulnerabilities; you want them to find attack paths that could be abused. If we do not find them on our side, an attacker will, and the attacker is not going to have the same mindset that we have when we approach it. They are going to be looking to cause damage. They’re going to be looking to exploit those systems to extort anything they can get from you or bring you down.  HEALTHTECH: What are the top lessons you’ve learned in your experience as a pen tester that you can share with other healthcare organizations?QUINN: A flat network, as we call it, could be something where, if I had gotten onto a workstation, I could contact most other servers or devices on that network, and I could attack those. It makes it incredibly easy for an attacker to move around the network.I’ve had healthcare facilities that I’ve tested that had relatively flat networks. In one case, I was able to get into the virtual sitter systems and view patients in their rooms. I could access patient data because the computers on the floor did not have adequate segmentation. This allowed me to sign in with breached credentials, and I was able to get into their Epic system and access patient data.In addition to that, MFA is a massive security factor that needs to be implemented. Implementing MFA, while it can be a bit of a cost to a company, can drastically decrease the risk of breach.Last, I would say that cybersecurity and physical security are actually very closely linked. And it’s not just whether you can get to critical systems. It’s whether an actor can get to a network jack that hasn’t been properly decommissioned, and in doing so, connect to the network and gain access through that. It is whether an attacker can get into your facility and potentially implant devices to call back to C2 servers and compromise your network. Having strong physical security controls and access restrictions in the hospital is incredibly important.Strong physical security and policies around device removal can also prevent access to sensitive wireless networks, which may otherwise be properly secured. One of our lead researchers, Deral Heiland, recently performed extensive tests against medical pumps, discovering that many of them still contained Wi-Fi passwords for medical centers around the country after being decommissioned and recycled. If an attacker can gain access to such passwords, they can get onto protected medical device networks and cause a significant operational impact.READ MORE: How can healthcare organizations grow with smarter backup strategies?HEALTHTECH: When it comes to conversations about combating ransomware in healthcare, what do you think is missing from the conversation? Where should people focus?QUINN: It’s funding. It can be quite costly to perform some of the actions that I’ve recommended here, especially when you’re doing network or infrastructure upgrades at scale. It can be costly as well to increase your workforce for security, whether physical or cyber. It is a difficult battle at times for security teams to justify making such sizable cost investments when executives and board members don’t see the work put in to prevent significant cyberattacks. It’s definitely a pain point for a lot of organizations that I’ve worked with. I’ve worked with a few facilities that have skeleton crews of two or three people doing the best that they can. We need more people for stronger security. We need funding and we need people to help fight on these front lines. The goal is to help people and to save lives, and we all need to invest in that if we truly believe in that mission. Getty Images: filo (bubble graphics, icons), bounward (icons); Streamline (icons)
October 11, 2023
Second Annual Ponemon Institute Report Finds That Two-Thirds of Healthcare ... - Yahoo Finance
Proofpoint, Inc.The average total cost of a cyber attack experienced by healthcare organizations was nearly $5 million, a 13% increase from the previous yearSUNNYVALE, Calif., Oct. 11, 2023 (GLOBE NEWSWIRE) -- Proofpoint, Inc., a leading cybersecurity and compliance company, and Ponemon Institute, a top IT security research organization, today released the results of their second annual survey on the effect of cybersecurity in healthcare. The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023,” found that 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months. The average total cost of a cyber attack experienced by healthcare organizations was $4.99 million, a 13% increase from the previous year.Among the organizations that suffered the four most common types of attacks—cloud compromise, ransomware, supply chain, and business email compromise (BEC)—an average of 66% reported disruption to patient care. Specifically, 57% reported poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications, and 23% experienced increased patient mortality rates. These numbers reflect last year’s findings, indicating that healthcare organizations have made little progress in mitigating the risks of cyber attacks on patient safety and wellbeing.The report, which surveyed 653 healthcare IT and security practitioners, found that supply chain attacks are the type of threat most likely to affect patient care. Nearly two-thirds (64%) of surveyed organizations suffered a supply chain attack in the past two years. Among those, 77% experienced disruptions to patient care as a result (an increase from 70% in 2022). BEC, by far, is the type of attack most likely to result in poor outcomes due to delayed procedures (71%), followed by ransomware (59%). BEC is also most likely to result in increased medical procedure complications (56%) and longer lengths of stay (55%).“For the second consecutive year, we found that the four types of analyzed attacks show a direct negative impact on patient safety and wellbeing,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Our findings also show that more IT and security professionals view their organization as vulnerable to each type of attack, compared to 2022. These attacks are also putting an even greater strain on resources than last year—costing on average 13% more overall and 58% more in the time required to ensure the impact on patient care was corrected.”Other key findings of the report include:Ransomware remains an ever-present threat to healthcare organizations, even though concerns about it are on the decline: 54% of respondents say their organization suffered a ransomware attack, up from 41% in 2022. However, ransomware fell to the bottom of threat concerns, with only 48% of respondents saying this threat concerns them the most, compared to 60% last year. The number of surveyed organizations making a ransom payment also dropped, from 51% in 2022 to 40% this year. However, the average total cost for the highest ransom payment spiked 29% to $995,450. Further, 68% said the ransomware attack resulted in a disruption to patient care, with most (59%) citing delays in procedures and tests that resulted in poor outcomes.All organizations surveyed had at least one data loss or exfiltration incident involving sensitive and confidential healthcare data within the past two years: 43% of respondents say a data loss or exfiltration incident impacted patient care; of those, 46% experienced increased mortality rates and 38% saw increased complications from medical procedures. Organizations experienced 19 such incidents on average, with malicious insiders the most likely cause (identified by 32% of respondents).Concerns about supply chain attacks declined, despite these attacks significantly disrupting patient care. Only 63% of respondents expressed concern about the vulnerability of their organization to supply chain attacks, compared to 71% last year. At the same time, 64% of respondents say their organizations’ supply chains were attacked an average of four times and 77% of those that suffered a supply chain attack saw disruption in patient care, an increase from last year’s 70%.Healthcare organizations feel most vulnerable to and most concerned about cloud compromise. Seventy-four percent of survey participants view their organization as most vulnerable to a cloud compromise, on par with last year’s 75%. However, a higher number are concerned about the threats posed by the cloud: 63% vs. 57% in 2022. Cloud compromise, in fact, rose to the top as the most concerning threat this year from fifth place last year.BEC/spoofing concerns increased significantly. The number of respondents concerned about BEC/spoofing jumped to 62% from last year’s 46%. More than half (54%) of organizations experienced five of these types of incidents on average. The growing concern may reflect the finding that BEC/spoofing attacks are more likely than others to result in poor outcomes due to delayed procedures (71%), increased complications from procedures (56%), and lengthier stays (55%).Low preparedness against BEC/spoofing and supply chain attacks puts patients at risk. Although the number of organizations concerned about BEC/spoofing phishing grew, only 45% take steps to prevent and respond to this type of attack. Similarly, despite the prevalence of disruptions to patient care from supply chain attacks, only 45% of organizations have documented steps to respond to them.Lack of in-house expertise and insufficient staffing an even bigger challenge than before to cybersecurity posture. Respondents identified lack of in-house expertise and insufficient staffing as the two biggest challenges to keeping their organization’s cybersecurity posture from being fully effective, and more organizations feel this challenge this year: 58% noted lack of expertise as a challenge vs. 53% in 2022, and 50% identified insufficient staffing vs. 46% last year.“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”To download Cyber Insecurity in Healthcare: The cost and impact on patient safety and care 2023, please visit: more information on Proofpoint’s healthcare solutions, please visit: Proofpoint, Inc.Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at with Proofpoint: Twitter | LinkedIn | Facebook | YouTubeProofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.PROOFPOINT MEDIA CONTACT:Estelle DerouetProofpoint, Vap.ce@cebbscbvag.pbz
October 11, 2023
Exploitation Accounts For 29% of Education Sector Attacks - Infosecurity Magazine
The education sector has been confirmed as a prime target for threat actors, with 29% of attacks originating from vulnerability exploitation and 30% from phishing campaigns on K-12 schools in 2023.The figures come from the latest report by Critical Start, a Managed Detection and Response (MDR) cybersecurity solutions provider.The firm’s biannual Cyber Threat Intelligence Report, published earlier today, sheds light on noteworthy cyber-threats and emerging trends affecting various industries, including finance, education manufacturing and state and local government.One of the key findings in the report is the increasing use of Quick Response (QR) codes in phishing attacks. In these attacks, cyber-criminals disguise themselves as Microsoft security notifications and embed QR codes within PNG images or PDF attachments to deceive victims.Read more on QR code-based attacks: QR Code Campaign Targets Major Energy FirmThe report also revealed that ransomware groups are collaborating more extensively than previously thought, sharing tactics and procedures in greater detail. Critical Start believes this cooperative approach among threat actors emphasizes the evolving nature of the cybercrime landscape.Another notable security concern is related to Microsoft Teams, which allows external accounts to send harmful files directly to an organization’s staff, potentially bypassing security measures and anti-phishing training. This increases the risk of successful attacks.The report also discussed the actions of Volt Typhoon, a threat actor sponsored by the Chinese state, who is likely to continue carrying out cyber-espionage campaigns in support of China’s broader government agenda against US critical infrastructure.“The volume and sophistication of cyber-attacks is continuously growing and evolving, making it impossible for organizations to feel on top of internal vulnerabilities and remain cognizant of every external threat,” said Callie Guenther, senior manager of cyber-threat research at Critical Start. “To democratize cyber threat intelligence, this report highlights the most prominent security-related issues plaguing business and how they can proactively reduce cyber risk.”
October 11, 2023
Most CISOs confront ransomware — and pay ransoms | Cybersecurity Dive
The odds of a CISO encountering a major cyberattack are about as high as it can get with 9 in 10 CISOs reporting at least one disruptive attack during the last year, according to Splunk research released Tuesday.Almost half of the 350 security executives surveyed said their organizations were hit by multiple disruptive cyberattacks during the last year.Ransomware accounts for many of these attacks. Almost every survey respondent, 96%, reported a ransomware attack and more than half experienced a ransomware attack that significantly impacted business operations and systems, the report found.The number of ransomware attacks confronted by organizations has a direct correlation with the frequency with which ransoms are paid. More than 4 in 5 CISOs surveyed said their organization paid the ransom.At that level of ransom payment activity, CISOs have to operate under the assumption that ransom payments are effectively part of the job.“CISOs have a duty to anticipate ransoms and also implement them in their budgeting for cyber insurance,” Ryan Kovar, leader of Surge, Splunk’s blue team security research team, said via email.“Minimally, they need to have a plan before they get ransomed that places them in a position of strong resilience,” Kovar said.Ransoms payments are part of the jobThis high rate of ransom payments, which can fuel cybercriminal activities, underscores why the U.S. government and some of its allies floated a potential ban on ransom payments earlier this year.“Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said at a May event hosted by the Institute for Security and Technology.A ban against ransom payments would represent a major shift in strategy, opening up a new and complicated measure to counter financially motivated threat actors.The Biden administration, as recently as September 2022, decided against an outright ban on ransom payments. Instead, cyber authorities strongly encourage organizations not to pay.The financial implications of ransom payments vary widely, according to Splunk’s report. Most organizations paid ransoms under $250,000, but nearly 1 in 10 paid ransoms over $1 million.“That’s a lucrative business for ransomware gangs — and many desperate organizations gamble with their reputations in the hope of decrypting their data, recovering their systems and preventing the release of sensitive material,” Splunk researchers said in the report.
October 12, 2023
Simpson Manufacturing Takes Systems Offline Following Cyberattack - SecurityWeek
Engineering and manufacturing firm Simpson Manufacturing says it has taken some of its IT systems offline following a cyberattack this week.Headquartered in Pleasanton, California, Simpson Manufacturing produces building materials, including anchors, connectors, and new construction and retrofitting materials.In an 8K-Form filing this week, the company told the Securities and Exchange Commission that, on Tuesday, it discovered a cyberattack that impacted some of its systems.“On October 10, 2023, Simpson Manufacturing Co., Inc. experienced disruptions in its Information Technology (IT) infrastructure and applications resulting from a cybersecurity incident,” the company said.Upon discovering the malicious activity, the manufacturer took steps to contain the incident, “including taking certain systems offline”.Simpson Manufacturing says it has been working on addressing the issue, but the incident is expected to continue to cause disruption to parts of its business operations.“The company has engaged leading third-party cybersecurity experts to support its investigation and recovery efforts. The investigation to assess the nature and scope of the incident remains ongoing and is in its early stages,” Simpson Manufacturing says.Advertisement. Scroll to continue reading.Although the company did not provide information on the type of cyberattack it has experienced, taking systems offline is typically the response to a ransomware attack.SecurityWeek has emailed Simpson Manufacturing for a statement and will update this article as soon as a reply arrives.According to a July 2023 report from Dragos the number of ransomware attacks targeting industrial organizations and infrastructure has doubled over the past year, mainly fueled by a drop in ransomware revenue in 2022, as more and more victims refused to pay a ransom.In January, British manufacturing company Morgan Advanced Materials fell victim to a ransomware attack that damaged some of its applications and file systems. In August, the company told the London Stock Exchange that some applications were still being recovered and that the incident had a £23 million (approximately $28 million) impact on the first half of 2023’s operating profit.Related: MGM Resorts Says Ransomware Hack Cost $110 MillionRelated: Motel One Discloses Ransomware Attack Impacting Customer DataRelated: Johnson Controls Ransomware Attack Could Impact DHS
October 12, 2023
Making Sense of the 2023 Ransomware Landscape - Security Boulevard
Ransomware actors thrive in a fluid and dynamically changing business ecosystem and times of radical upheaval, and that’s what they’ve gotten since Russia’s invasion of Ukraine. While the notorious Qakbot botnet, linked to more than 40 ransomware attacks over the past 18 months, was recently dismantled, plenty of new threat actors and their affiliates remain.Understanding the current ransomware landscape is the first step to helping defenders protect their organizations. With this goal in mind, DomainTools researchers analyzed the most prolific ransomware families and the challenges they present in 2023.Here are some of the most important trends they identified:LockBit–and the Ransomware-as-a-Service (RaaS) Model–is ThrivingLockBit is now the most deployed ransomware variant in the world. Their operation has brought in about $91 million in ransom payments from U.S. victims alone since its first reported attack in January 2020.The creators behind LockBit 2.0, which recently turned 3.0, have experienced tremendous success over the last few years, leveraging the now well-established ransomware-as-a-service (RaaS) model in its pursuit of riches. In spring 2023 alone, LockBit 3.0 was used in the attack of over 300 organizations compared to just over 100 victim organizations by its closest competitor, AlphVM. They show no signs of slowing down. The group has been actively advertising its services within popular darknet forums to recruit affiliates and expand its market share. It even launched its own bug bounty program with remuneration amounting to as much as $1 million, enough to rival the programs of legitimate businesses and government authorities. In short, LockBit exemplifies just how well-oiled of a machine the ransomware trade has become.As the marketplace continues to mature, we’ll see it become increasingly commodified and competitive. Just as with regular consumers, affiliates will have the opportunity to browse and negotiate better terms, service, and/or support from their RaaS provider. The competitive nature of the RaaS model could lead to higher-quality ransomware products, making the lives of defenders that much more difficult.Mayhem in the Cybercriminal Underworld Creates Mayhem in Defense StrategiesIn early 2022, cybersecurity defenders also had to contend with the gang Conti. The group eventually disbanded in May 2022 due to internal discord over geopolitical events, demonstrating once again that they do not exist within a vacuum. Conti had publicly announced its support for Russia days after the invasion of its neighboring country, leading a Ukrainian member to leak masses of the group’s internal documents and data in retaliation; now dubbed the “Conti Leaks,” leaving room for the AlphVM and CL0P syndicates to grow their operations. The dissolution of Conti has also given rise to new players like Royal, Black Basta, Karakut and Quantum, made up in part of old Conti members. Of note, the former two players have already begun to make their mark, standing among the Top Five Ransomware Groups by Victimology for Spring 2023.All of this movement has made it harder for defenders to determine who’s who. Where in the past, the infrastructure, code bases and TTPs – or tactics, techniques and procedures – may have once been relatively unique to each group, the lines have now blurred as gangs disperse, reshuffle, and reorganize. Consequently, it is only going to become increasingly vital that organizations work alongside reputable companies that can provide accurate threat intelligence.Crackdown on Payments Leads to Attacks on Vulnerable IndustriesLast but not least, the past year has seen significant disruption to the services that ransomware gangs use to finance their operations. This includes the closure of unlawful cryptocurrency exchanges and the sanctioning of individuals tied to cybercriminal groups. What’s more, victims are less likely to pay up on ransom demands due to a combination of factors: better security posture and preparedness among companies with backups, reluctance among insurance companies to settle claims, and general expert opinions advising against taking such action. In fact, Chainalysis’ report noted a significant drop in ransoms paid, falling from $766 million in 2021 to $457 million in 2022. To combat this, it seems some criminal groups are turning their attention to healthcare, IT services and government administration—industries that have, historically, been underfunded, but who are also under heightened pressure to pay and restore services quickly to mitigate the impact to people’s lives and livelihoods. Healthcare, in particular, has been hard hit, having moved up to the second most targeted industry in 2023.What’s NextWe are facing a ransomware landscape that is only becoming more sophisticated as commoditization drives business innovation among cybercriminal groups. Add to this a muddying of the waters as gangs disband and reform, using a pick-and-mix of TTPs, infrastructure and code bases, as well as a rising trend among threat actors to target vulnerable industries as a way of compensating for reduced payouts. These trends pose a significant challenge for defenders. Organizations must be diligent about maintaining their defense-in-depth and work collectively with the most current threat intelligence to identify new trends and techniques in order to stay one step ahead of these motivated threat actors.
October 17, 2023
Rising AI-Fueled Phishing Drives Demand for Password Alternatives
Online phishing scams are becoming more frequent and more sophisticated, according to the Online Authentication Barometer, published by the FIDO Alliance on October 16, 2023.When asked about phishing attacks, over half (54%) of respondents to the FIDO Alliance survey said they have seen an increase in suspicious messages and scams. Meanwhile, 52% believe phishing techniques have become more sophisticated, likely due to threat actors leveraging AI to create phishing schemes and deploy phishing campaigns.“Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale. Deepfake voice and video are also being used to bolster social engineering attacks, tricking people into thinking they are talking to a known trusted person,” reads the report.Passwords Still Dominant Across Use CasesThe FIDO Alliance found that password usage without two-factor authentication (2FA) is still dominant across use cases.The survey showed that people enter a password manually nearly four times a day on average, or around 1280 times a year.Vulnerable passwords are particularly used to log on to a work computer or account, with 37% of respondents using this method instead of multi-factor authentication (MFA).Andrew Shikiar, executive director and CMO at FIDO Alliance, commented: “Phishing is still by far the most used and effective cyberattack technique, which means passwords are vulnerable regardless of their complexity. With highly accessible generative AI tools now offering bad actors the means to make more convincing and scalable attacks, it’s imperative consumers and service providers listen to consumers and start to look at non-phishable and frictionless solutions […], rather than iterating on ultimately flawed legacy authentication like passwords and one-time passwords (OTPs).” The negative impact caused by legacy user authentication was also revealed to be getting worse. Nearly six in ten people (59%) have given up accessing an online service and 43% have abandoned a purchase in the last 60 days, with the frequency of these instances rising year on year to nearly four times per month, per person, up by around 15% on last year.Read more on Infosecurity Europe: The Dark Side of Generative AI – Five Malicious LLMs Found on the Dark WebBiometrics Tops MFA Options, Passkeys Use Is GrowingWhen given the option, users are willing to adopt some of the “non-phishable and frictionless solutions” Shikiar said.Biometrics ranks as the top MFA solution as it is both the preferred method for consumers to log in and what they believe is the most secure.Speaking with Infosecurity, Roger Grimes, a data-driven defense evangelist at cybersecurity awareness company KnowBe4, praised the shift from password to MFA solutions.However, he warned that “not all MFA, and especially not all biometrics solutions, are resistant to phishing techniques. That’s why cybersecurity organizations should promote the use of phishing-resistant MFA, such as FIDO-enabled MFA methods.”The survey showed that one of these FIDO-enabled methods, passkeys, has grown in consumer awareness, rising from 39% in 2022 to 52% today.Its use has been publicly backed by many big players in the industry, such as Google, Apple and PayPal.Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,010 consumers across the UK, France, Germany, the US, Australia, Singapore, Japan, South Korea, India and China.What Is the FIDO Alliance?The Fast IDentity Online (FIDO) Alliance is a non-profit organization created in 2013. It has been responsible for developing and maintaining FIDO standards, a set of open, standardized and authentication protocols.FIDO authentication is based on public key cryptography, which is more secure than password-based authentication and is more resistant to phishing and other attacks.FIDO authentication is supported by a wide range of web browsers, operating systems, and devices. This makes it easy for users to adopt FIDO authentication without changing their hardware or software.The latest FIDO protocol, FIDO2, was jointly developed by the FIDO Alliance and the World Wide Web Consortium (W3C).“The FIDO Alliance is doing an amazing job at maintaining these authentication standards, and offers a FIDO certification,” said Grimes, who maintains a list of phishing-resistant MFA options.
October 06, 2023
CDW data to be leaked next week after negotiations with LockBit break down - Theregister
CDW, one of the largest resellers on the planet, will have its data leaked by LockBit after negotiations over the ransom fee broke down, a spokesperson for the cybercrime gang says.Speaking to The Register, the spokesperson, who uses the alias LockBitSupp, implied that during negotiations CDW offered a sum that was so low it insulted the crooks."We published them because in the negotiation process a $20 billion company refuses to pay adequate money," the source said. "As soon as the timer runs out you will be able to see all the information, the negotiations are over and are no longer in progress. We have refused the ridiculous amount offered." LockBit did not respond to questions relating to what its original ransom demand was or what CDW offered in the negotiations. It also shirked questions concerning the nature of the data stolen and what methods it used to breach the company.According to the countdown timer on LockBit's victim blog, CDW's files are scheduled to be published in the early hours of the morning on October 11. CDW has yet to comment on the incident, which appears to have been ongoing since at least September 3, when the company was first posted to LockBit's blog.The Register has contacted CDW for clarity but the company has not offered a response.Its automatic email reply reads: "Thank you for contacting CDW. Your inquiry has been received and will be reviewed. Should there be a fit or an interest in engaging further, we will be in touch as soon as possible." The UK Information Commissioner's Office (ICO) confirmed that it had not received a breach report from CDW.Cybersecurity analyst and researcher Dominic Alvieri said the company was technically posted to LockBit's blog three times in total. It was originally "flashed" – a tactic involving the quick posting and deletion of a company to encourage a fast response from the victim."When deadlines come and go it is a sign the company is negotiating or has at least acknowledged the incident," he said."The repost is usually the final stages. The ransoms process can take weeks/months."Posting a company to a victim blog multiple times isn't something that happens in every case but it is a known aggressive tactic adopted by ransomware groups to hurry negotiations, experts told The Register."Ransomware groups are ramping up their tactics in forcing victims to pay quickly and this is all part of their business model to extort more money in a timely fashion from their targets," said Jake Moore, global cybersecurity advisor at ESET. "LockBit has previously used pressure tactics to force other victims of their attacks in order to speed up ransom negotiations to ultimately pay up and with varying success."There is always a chance, however, that this is a tactic used to force their victims' hands to act quickly yet no real substance be in the original claim."This is the common gamble played between cybercriminals and their victims where one wrong move and a poker face could cost companies huge amounts in ransom payments and more problems thereafter from leaked data in public view."One historical example of LockBit setting deadlines and not dumping the stolen data was during the attack on Royal Mail International earlier this year.The deadline was set for February 13 and no data was published. A day later, instead of making Royal Mail International's stolen data public, LockBit posted the full negotiation history between it and the company in the form of a downloadable chat log.The chat logs revealed the ransom demand was originally set at $80 million, later offering a 50 percent discount after the company branded the demands "absurd."At the time, the release of the chat logs was seen as an example of these scare tactics. After Royal Mail's continued refusal to pay, LockBit eventually staggered the publication of its data, much of which included employee information, in 10 separate dumps.The UK's National Cyber Security Centre (NCSC) has a longstanding stance against paying ransoms to cybercriminals.In a study by security company CyberEdge, it was found that less than half of businesses paying ransoms recover all of their data.In the Royal Mail negotiations, the transcript shows the negotiator attempting to convince LockBit to hand over two files as proof the criminals' decryptor worked.LockBit realized after a few days that the two files would have allowed Royal Mail to fully recover its systems without paying for the decryptor.Towards the end of the negotiations, where Royal Mail appeared to stall LockBit for as long as it could by saying it was waiting for its board to decide on whether to pay the discounted ransom fee, LockBit grew frustrated with the tactics and published the data after days on non-responsiveness from Royal Mail.LockBit's lies, and other strange tacticsOver the years, LockBit has been accused of orchestrating various "PR stunts" to cause confusion and raise its notoriety level.These have included "fake" ransomware attacks on large organizations, posting their details to LockBit's website along with a countdown timer to indicate the publication date of the stolen files, just as it does with genuine victims.One such example came in June 2022, when it claimed to have breached incident response specialists Mandiant. In typical fashion, the countdown timer spent days reaching zero, and what was published wasn't the data it claimed to have stolen from the company, but instead a response to claims that the group was linked to the sanctioned cybercrime outfit Evil Corp."The PR stunt was likely orchestrated by LockBit because an association of their activities to Evil Corp could have financially devastating consequences for their operations," said ReliaQuest in a blog post. "Paying ransoms to these cyber threat groups is still not illegal in most countries; however, a formalized association with Evil Corp would render those payments potentially out of the law, with significant civil and criminal implications for the organizations involved in them. "Given that LockBit is one of the most prolific ransomware groups in activity at the moment, it is likely that they intend to continue their highly successful and profitable ransomware operations for the following months."LockBit repeated the same trick later that year, this time against French multinational IT company Thales. Although in Thales's case, it was only half fibbing.At the time, Thales's public statements repeatedly denied evidence of an IT intrusion, but on November 10, 2022 – three days after LockBit promised to publish its data – Thales confirmed that data had been stolen and published.However, it said the theft was carried out by "two likely sources," one of which was "confirmed through the user account of a partner on a dedicated collaboration portal," and the other was unknown. ®  
October 07, 2023
MGM Resorts Refused To Pay Recent Ransomware Demand -
MGM Didn’t Pay Hackers, Suffered Financial Consequences Posted on: October 6, 2023, 03:22h.  Last updated on: October 6, 2023, 03:22h. MGM Resorts International (NYSE: MGM) reportedly refused the hackers that recently executed a ransomware attack on its US operations and will suffer a significant reduction in third-quarter earnings as a result.Bellagio on the Las Vegas Strip. Operator MGM didn’t pay a recent ransomware demand. (Image: YouTube)On Thursday, the Bellagio operator warned investors its third-quarter earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs (EBITDAR) will be reduced by $100 million due to the attack, which lasted at least 10 days. MGM also said it faces $10 million in one-time expenses attributable to the data breach.That $100 million likely would have been significantly lower and covered by insurance had MGM opted to pay “Scattered Spider,” but sources close to the matter told the Wall Street Journal the casino giant chose not to meet the ransom demand.That’s a departure from what rival Caesars Entertainment (NASDAQ: CZR) when confronted by a ransomware attack executed by the same group. The Harrah’s operator paid $15 million of the $30 million Scattered Spider wanted and didn’t deal with operational chaos as did MGM.MGM Followed FBI GuidelinesMuch as the US government claims to not negotiate with the terrorists, the FBI encourages victims of ransomware attacks to not meet the demands of the threat actors.The FBI does not support paying a ransom in response to a ransomware attack,” according to the federal law enforcement agency. “Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”Apparently, MGM took that advice, but many other companies, including Caesars, that are hit by ransomware attacks do not. As a result, the bad actors are emboldened because they believe the odds are short they’ll be paid. Thus, the frequency of these breaches is increasing.“The best way to avoid being exposed to ransomware—or any type of malware—is to be a cautious and conscientious computer user,” adds the FBI. “Malware distributors have gotten increasingly savvy, and you need to be careful about what you download and click on.”What’s Next for MGMFollowing the attack, MGM rebuilt its cybersecurity systems and bolstered related defenses. That’s a step in the right direction, but the damage is done and some investors might argue that MGM should have played ball with Scattered Spider and paid them to go away.The math favors that argument. After all, MGM’s $100 million hit to third-quarter earnings is significantly larger than the $15 million a Caesars insurance carrier paid out.It is, however, a complex situation. In the month following the attack, shares of MGM tumbled roughly 20%, but the stock surged 4.86% on above-average volume, perhaps spurred the news the company didn’t comply with the ransom demand.
October 07, 2023
Ransomware attack on MGM Resorts cost $110 Million - Security Affairs
Ransomware attack on MGM Resorts costs $110 MillionHospitality and entertainment company MGM Resorts announced that the costs of the recent ransomware attack costs exceeded $110 million.In September the hospitality and entertainment company MGM Resorts was hit by a ransomware attack that shut down its systems at MGM Hotels and Casinos.The incident affected hotel reservation systems in the United States and other IT systems that run the casino floors.The company now revealed that the costs from the ransomware attack have exceeded $110 million. The company paid third-party experts $10 million to clean up its systems.A few days later, an affiliate of the BlackCat/ALPHV ransomware group known as Scattered Spider claimed responsibility for the attack.“The Company believes that the operational disruption experienced at its affected properties during the month of September will have a negative impact on its third quarter 2023 results, predominantly in its Las Vegas operations, and a minimal impact during the fourth quarter. The Company does not expect that it will have a material effect on its financial condition and results of operations for the year. Specifically, the Company estimates a negative impact from the cyber security issue in September of approximately $100 million to Adjusted Property EBITDAR for the Las Vegas Strip Resorts and Regional Operations, collectively.” reads the 8-K report filed with SEC. “The Company has also incurred less than $10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third party advisors.” The Company states that its cybersecurity insurance will cover the financial losses and future expenses, however, the full scope of the costs and related impacts has yet to be determined.According to the ongoing investigation, threat actors had access to the data of some of the Company’s customers who transacted with the Company prior to March 2019. Personal information exposed includes name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers). For a limited number of customers, Social Security numbers and passport numbers were exposed. The types of impacted information varied by individual.The attack caused disruptions at some of the company’s properties, however, the incident did not expose any customer bank account numbers or payment card details.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, MGM Resorts)
October 05, 2023
Not Dead Yet: Why Tape Is Still a Valuable Data Loss Prevention Technology (and a ... - Arcserve
Tape has been around forever, at least in relation to most technologies. TechTarget says that, if you count paper tape, the technology has been around since the 18th century. But the modern era of tape still goes back more than seven decades to 1951, when UNIVAC introduced the UNIVSERVO tape drive.So you may be surprised to hear that tape is still alive and well. And its use is expanding significantly. How much? The tape market is projected to reach $9.39 billion by 2030, a 7.5 percent CAGR. And some analysts report that up to 80 percent of mid-size and enterprise companies use tape. There are plenty of reasons for that growth. Here are just a few.LTO-9 Delivers More Capacity, Faster Data The Linear Tape Open (LTO)—and LTO-9, the latest format specification for LTO Ultrium tape drive and media—has much to do with that growth. TechTarget says tape continues to set shipment records. And it notes that much of that growth can be attributed to customers looking for secure, cost-effective data backup solutions. With LTO-9, you can choose an 18 TB tape cartridge, yielding a 50 percent capacity increase over LTO-8 and a 1400 percent increase over now decade-old LTO-5 technology. And LTO-9 delivers 400 MB/s native transfer speeds and 1,000 MB/s when employing 2.5:1 compression.  LTO-9 Offers Immutable Storage, Backward CompatibilityThis latest iteration of the LTO technology includes multilayer security support with hardware-based encryption.LTO-9 also supports immutable storage, a write-once-read-many times (WORM) format that unauthorized users can’t alter or delete. That means your backups are protected from ransomware, even if hackers get past your defenses.LTO-9 offers full backward read and write compatibility with LTO generation 8 cartridges. It also provides a scalable, adaptable open tape storage format. That makes tape an attractive investment when considering primary archival and data protection solutions. Tape Delivers Air-Gapping and a Much Lower TCORansomware attacks are now so frequent and sophisticated that it’s not a matter of if but when your company will be hit. That’s why Arcserve recommends tape as a cost-effective option for air-gapping your tape backups. You can learn more about physical and virtual air-gapping in this recent post.Fujifilm offers a total cost of ownership (TCO) calculator that illustrates how cost-effective tape can be. The default example shows that an organization that- loads 20 petabytes (PB) in year one - and projects 30 percent annual growth in stored data - and that 12 percent of its data each year will need to be retrieved will save 79 percent versus disk storage and 72 percent versus cloud storage. That is some serious savings.  Tape Is Incredibly ReliableUltrium LTO says that LTO-9 delivers better than one uncorrectable error event in 1020 user bits in the data reliability category. Typically referred to as uncorrectable error rate, or UBER, that translates into at least 17 nines of durability. UBER is a crucial data reliability metric for all data storage devices—hard disk drives (HDDs), solid-state drives (SSDs), and tape. An LTO-9 analysis of user data reliability noted that “due to LTO’s unique format, which is based on orthogonal interleaved 2-dimensional 32 channel Reed Solomon error correction codes, the probability of an UBER event is orders of magnitude lower than HDD.”Here’s another way to look at HDDs vs. tape. In the LTO-9 analysis example, the HDD would experience an UBER about every 125 terabytes or every 7 HDDs. LTO-9 technology would only experience an UBER every 12.5 zettabytes, which is 12.5 billion terabytes or almost 700 million LTO-9 cartridges. That’s a lot of storage with little risk of errors.Powerful, Proven Tape Backup Software Closes the Deal Given how long tape has been around, many IT pros assume the technology hasn’t kept pace with our evolving digital environment. That isn’t so. Arcserve Backup software can greatly enhance your tape data protection strategy. Here’s how:Centralized Data Management, Sophisticated Functionality Arcserve Backup offers centralized data management and storage resource manager (SRM) reporting. The software monitors the status of all backup activities, finds the nodes that are taking the longest, locates backed-up data, and tracks volume, disk, and memory usage on every production server. Arcserve Backup lets you incorporate sophisticated functionality into your VMware, Microsoft Hyper-V, and Citrix XenServer platforms. That includes simplified system management with a view of your entire environment to mitigate the risk of data loss on virtualized servers.Fast, Efficient Backups and RestoresThe software further increases reliability with smart restore capabilities that redirect restore jobs to other media containing the same data without manual intervention. You can also quickly restore individual application objects from Active Directory, Microsoft Exchange, Microsoft SQL Server, and Microsoft SharePoint. With Arcserve Backup, you’ll realize faster, more efficient backups and restores by leveraging UNIX and Linux data movers for SAN-based backups. You’ll also be able to meet application-specific requirements including:• Backup to disk• Backup to tape• Disk-to-disk-to-tape (D2D2T)• Disk-to-disk-to-cloud (D2D2C)• Virtual tape library (VTL)• Hardware snapshot support• Multiplexing• Multi-streamingTake a Closer Look at TapeWorking with an Arcserve technology partner, you can evaluate how tape fits into your backup and disaster recovery strategy. They have the expertise to guide you to the optimal solutions to meet your requirements.Find an Arcserve technology partner here.
October 02, 2023
CERN swells storage space beyond 1EB for LHC's latest ion-whacking experiments
In preparation for its latest round of ion-smashing tests, CERN boosted its storage array for the experiments to more than one million terabytes in total size.The facility's data store now exceeds an exabyte of raw capacity — with much of it on hard disk drives and an "increasing fraction of flash drives," the European super-lab's team explained in a report.It's one thing to increase capacity, it's another thing to be able to access it in a timely fashion, as Andreas Peters, who heads up CERN's EOS storage system, explained: "It is not just a celebration of data capacity, it is also a performance achievement, thanks to the reading rate of the combined data store crossing, for the first time, the 1TB/s threshold." The upgrade, which added 289 PB of capacity since last year, was made to support the latest round of heavy-ion experiments within CERN's 27-kilometre Large Hadron Collider, which kicked off last week. These experiments involve smashing heavy ions together at nearly the speed of light to study the fundamental building blocks of the known universe. As we understand it, these experiments, which will take place over several years at the ring-shaped particle collider near Geneva, Switzerland, will produce a prodigious amount of data — in excess of 600 PB — which has to be processed before being committed to long-term tape storage. During the last heavy-ion run between 2015 and 2018, CERN said it processed an average of one petabyte of data a day.  While a petabyte of data might seem like a lot, thanks to high-capacity storage chassis, it doesn't actually take that much physical space. Using high-capacity disks, it's now possible to cram a petabyte worth of storage into a single chassis. An exabyte of storage, however, is another matter entirely requiring rows of racks full of disk shelves to contain.CERN says its disk storage array features approximately 111,000 devices — most of which are hard drives but with increasing amounts of flash in the mix. The systems runs on EOS, an open source platform developed by CERN for use with the Large Hadron Collider and other scientific workloads.We've asked for more information on just how large disks are and how many of each CERN is using; we'll let you know if we hear back. While you'd only need 100,000 10 TB drives to hit that raw exabyte mark, the array wasn't built overnight. In fact, it has grown 56x from the initial 18 PB storage system in 2010, and between 2020 and today the system has more than doubled in capacity.According to the post, with more than a hundred thousand discs humming along, drive failures are a regular occurrence. According to a report [PDF] from a few years back CERN was replacing 30 failed drives each week, necessitating a fair bit of planned resilience using different data replication methods.The announcement comes just weeks after CERN ditched its time series database and monitoring platform in favor of one from VictoriaMetrics after researchers ran into performance issues with InfluxDB and Prometheus. ®
October 04, 2023
Ransomware: All the ways you can protect storage and backup | Computer Weekly
Ransomware is a big threat to organisations of all sizes. According to one piece of research, around two-thirds of disaster recovery incidents are a result of ransomware. Meanwhile, firms take an average of 21 days to recover to normal operations. The growth of ransomware has put data storage and backup on the frontline of cyber defences, and as firms have bolstered their anti-ransomware measures, attackers have become more sophisticated and dangerous. Attackers have moved from encrypting production data to targeting backups and backup systems. Their goal is to make it harder for organisations to recover, and so more likely they will pay a ransom. Also, double- and triple-extortion attacks – where criminal groups threaten to expose sensitive data, or even use it to target individuals – have raised the stakes still further. In response, chief information security officers (CISOs) and chief information officers (CIOs) have looked to harden systems against ransomware attack, with use of immutable snapshots, air-gapped backups and artificial intelligence (AI)-based threat detection. Suppliers have also bolstered anti-ransomware tools. Some are even offering ransomware recovery guarantees that offer financial compensation if an attack does happen. Ransomware attacks work by spreading malware that disables access to data. The malware usually enters the organisation through phishing, infected documents, or compromised or malicious websites. It acts to encrypt data, then attackers demand a ransom for the decryption key. The first line of defence is to detect and block phishing attacks, through antivirus and malware detection on client devices and on the network, and through user awareness and training. Much of this is standard cyber hygiene. Most methods that work against malware and phishing will work equally against ransomware. Security researchers point out that the malware component of ransomware attacks is often not very sophisticated. However, although cyber hygiene measures will reduce risks, they are not fool-proof. Therefore, firms also look at deeper levels of data protection against encryption, as well as detecting and blocking suspicious activity on the network. Good backups remain an important defence against ransomware. If a firm can recover its data from a clean backup, they have a good chance of returning to normal operations without the need to pay a ransom. And, as security advisors such as the UK’s NCSC point out, paying the ransom is no guarantee of being able to recover data. Off-site backup, or data that is “air gapped” and separated either physically or logically from production systems, provide a good level of protection, but recovery from off-site backups can be slow. A clean recovery also requires users to spot an attack early enough to prevent backups being infected by malware. Also, attackers now actively target backup systems, with a view to disabling them or corrupting backup files. This has led storage suppliers to build additional levels of ransomware protection into storage and backup technologies to provide additional layers of defence. Vendors to the rescue? One of the most common measures deployed by suppliers to counter ransomware is immutable backups. Often these are snapshots, which are usually immutable anyway. Snapshots have the added advantage of quick restore times, and they can be stored locally, offsite or in the public cloud. Their disadvantage is that the capacity they occupy can rapidly grow, so often snapshot retention periods are quite low. A wide range of suppliers now offer immutable data copies, either in backup or directly on production storage. Examples include Wasabi’s Object Lock immutability feature, for object storage, and Pure’s SafeMode snapshots on its FlashBlade and FlashArray systems, as well as object locking in PortWorx. Vast Data is another supplier that provides immutable backups, using a feature it calls Indestructibility. Firms that use Amazon S3 can also apply Object Lock to buckets. A further approach is to harden the operating system; this is what Scality has done with Linux on its Artesca appliances. By hardening the OS, the supplier restricts admin tools an attacker could use to destroy or encrypt data. There are, however, different levels of immutability. As James Watts, managing director at Databarracks, points out, the effectiveness of immutability depends on how systems are configured. A tool set for immutability at the backup level will not, for example, prevent an attacker from deleting underlying storage volumes. For ultimate protection, he recommends even backup copies and the storage target should be kept “off domain”. The majority of backup suppliers now support air-gapped copies of data, and a growing number will work directly with public cloud storage to make it easier and less capital-intensive to store immutable backups offsite. Chief information officers and data storage managers should check the capabilities of their backup and recovery tools, such as whether they can upload copies to the cloud or be used to create air-gapped datasets.Ransomware detectives, and warranties Immutable backups are not, however, foolproof. They will not protect an organisation if malware infects the snapshot. This has prompted suppliers to add anomaly detection at the storage device and network level to help spot ransomware infections before they are triggered. Suppliers have increasingly made use of AI tools to spot anomalies across vast quantities of data, at speeds that are – hopefully – fast enough to prevent malware from spreading, and from encrypting or deleting data. Such anomalies might include recognising abnormally large numbers of changes to files in a dataset, or increased levels of randomness in filenames or content, both of which could occur as ransomware begins to encrypt data. Suppliers that offer this type of detection include Cohesity and NetApp, while Pure has AIOps-based anomaly detection in its Pure1 management platform. Commvault also has early warning features in its technology. Firms have in addition built ransomware detection into production data storage, not just backups, as they try to stay ahead of attacks. Some suppliers have taken a further step by offering financial guarantees to support their data protection measures. Veeam and NetApp are among the suppliers that offer ransomware warranties; Pure has a ransomware recovery service-level agreement which includes supplying hardware, and a technician, to recover data. Firms should take their own steps to ensure any ransomware protection measures are suitable for their operations. Warranties, even those that offer seven- or eight-figure payouts, will only apply in tightly defined circumstances, and cash will only go so far to help an organisation if data has been put beyond reach. “There’s no blanket policy or simple answer for every organisation, these decisions all need to balance cost and risk for what works for you,” says Databarracks’ Watts.
October 04, 2023
FBI warns of dual ransomware attacks, and other cybersecurity news to know this month
This news round-up brings you key cybersecurity stories from the past month. Top cybersecurity news: FBI warns of dual ransomware threat; Companies struggle to overcome cyberskills gap; Actor Tom Hanks distances himself from AI deepfake advert. 1. US companies face dual ransomware attack risk, says FBI The Federal Bureau of Investigation (FBI) is warning companies in the United States to be alert to the risk of dual ransomware attacks, in which the same organization is targeted more than once in quick succession. The warning came in an FBI private industry notification dated 27 September 2023: "The FBI noted a trend of dual ransomware attacks conducted in close proximity to one another. During these attacks, cyber threat actors deployed two different ransomware variants." The FBI also pointed out that a range of ransomware tools are being used in different combinations - with potentially devastating consequences for targeted companies. "This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities." In most cases, the second attack has come within 48 hours of the first, but the period between attacks has been as long as 10 days. To mitigate the risks from dual ransomware attacks, the FBI recommends companies review their security posture, maintain offline back-ups of critical data and ensure those back-ups are encrypted. 2. Companies failing to close global cybersecurity skills gap A report into employment challenges in the cybersecurity sector finds companies around the globe are failing to fill millions of vacant positions. The Information Systems Audit and Control Association (ISACA), which has 170,000 members in 188 countries, has published its 2023 State of Cybersecurity global update. The report, which details the opinions of 2,178 members who responded to a global survey, found the industry was failing to attract recruits to fill positions from entry-level right up to C-suite roles. Progress to fill vacant cybersecurity positions is slow. Image: ISACA Looking to the future, ISACA sees no short-term solution to the staffing challenges in the sector and a rising demand for skilled cybersecurity specialists. The report's findings align with the World Economic Forum's Global Cybersecurity Outlook, 2023, which reveals that 59% of business leaders and 64% of cyber leaders rank talent recruitment and retention as key challenges for managing cyber resilience. Additionally, less than half of the respondents reported having the people and skills needed today to respond to cyberattacks. According to the Forum's Future of Jobs 2023 report, cybersecurity is among the top strategically emphasized skills for the workforce. Yet, there is a shortage of 3.4 million cybersecurity experts to support today’s global economy. A less traditional approach to training and recruitment in the cybersecurity sector, focused on diversity and a less rigid reliance on qualifications, could significantly widen the pool of available talent. The World Economic Forum Centre for Cybersecurity drives global action to address systemic cybersecurity challenges. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors. Here are some examples of the impact delivered by the centre: Cybersecurity training: Salesforce, Fortinet, and the Global Cyber Alliance, in collaboration with the Forum, provide free and accessible training to the next generation of cybersecurity experts worldwide. Cyber resilience: Working its partners, the Centre is playing a pivotal role in enhancing cyber resilience across multiple industries: Oil and Gas, Electricity, Manufacturing and Aviation. IoT security: The Council on the Connected World, led by the Forum, has established IoT security requirements for consumer-facing devices, safeguarding them against cyber threats. This initiative calls upon major manufacturers and vendors globally to prioritize better IoT security measures. Paris Call for Trust and Security in Cyberspace: The Forum is proud to be a signatory of the Paris Call, which aims to ensure global digital peace and security, emphasizing the importance of trust and collaboration in cyberspace. Contact us for more information on how to get involved. 3. News in brief: Top cybersecurity stories this month The US Cybersecurity and Infrastructure Security Agency (CISA) has launched a new campaign for the 20th Cybersecurity Awareness Month. Under the campaign theme of Secure our World, CISA is urging organizations and individuals to take four steps to protect themselves against the growing threat from cybercriminals: use strong passwords; switch on multi-factor authentication; regularly update software; and recognize and report phishing attempts. VIDEO Cybersecurity and Infrastructure Security Agency Hackers have broken into computers at the International Criminal Court (ICC) in The Hague, Netherlands. The ICC investigates war crimes and crimes against humanity. According to Reuters, staffers at the ICC noticed unusual activity on its computer networks. The ICC said it was working to mitigate the impact of the cybersecurity breach. Ukraine has accused Russia of hacking its law enforcement computer systems. Ukraine's head of cyber defences said the Ukrainian Prosecutor General's office and departments documenting war crimes had been targeted, Reuters reports. More than 50 organizations in Colombia have been targeted in a widespread cyberattack. According to Reuters, the ransomware attack hit government systems and private companies after hackers targeted an Internet Service Provider. The Hollywood actor Tom Hanks has warned consumers that an advertisement in which he appears to promote a dental plan is a deepfake created using AI technology. Hanks posted a screengrab from the video on Instagram, explaining to his 9.5 million followers, "I have nothing to do with it." The emergence of generative AI has raised concerns that convincing fake imagery could aid the spread of disinformation and damage trust in online content. Tom Hanks warned consumers about a deepfake image in which he appears to promote a dental plan. Image: Tom Hanks/Instagram 4. More on cybersecurity on Agenda The European Union's new Digital Markets Act is aiming to regulate tech giants like Google, Facebook and Amazon. The law seeks to ensure fair competition, data sharing and transparency around tracking users' data. There are significant fines for non-compliance. Every online user is facing a growing threat from ransomware - malware designed to deny an organization access to files or data on their computer. This article details six ways individuals and organizations can protect themselves from online extortion. The energy systems that underpin entire economies are facing “an unprecedented threat” from cyberattacks, according to the International Energy Agency (IEA). Industry research shows that utility companies are spending an average of 8% of their total IT budget on cybersecurity – but the number of attacks is outpacing spending.
October 04, 2023
Most Canadian firms pay a ransomware gang, latest CIRA survey suggests
The vast majority of organizations in this country are still giving in and paying ransomware gangs after successful attacks, the annual survey of infosec pros by the Canadian Internet Registration Authority (CIRA) suggests.That’s one possible conclusion from the results of an online survey of 500 Canadian cybersecurity professionals from organizations that had at least 50 employees that was released Tuesday by CIRA.CIRA oversees the .ca registry.Released in conjunction with Cybersecurity Awareness Month, the survey shows 41 per cent of respondents said their organization had experienced an attempted or successful cyber attack in the last 12 months. Of those, 23 per cent said that their organization had been a victim of a successful ransomware attack in the last 12 months, one per cent more than 2022.And of those, 70 per cent said their organization paid ransom demands — and nearly a quarter of those paid up to $100,000. The responses are roughly similar to those of previous CIRA surveys. In 2022, 73 per cent of those hit by ransomware said their firm paid up, while 69 per cent said their firm paid a ransom in 2021.The numbers “went the wrong way in terms of a trend this year,” admitted Jon Ferguson, CIRA’s general manager of cybersecurity.“The challenge for a lot of organizations is if they’re not well prepared for an attack before it happens, remediation may not be easy,” he said. “So they perceive paying is the simplest resolution of the problem. Maybe they lack the ability to recover without getting access (to data) back.”They may also be worried about damage to their reputation if word gets out about a ransomware attack, he added.Asked why in 2023 an organization would not be well prepared for ransomware, Ferguson said some firms may have trouble understanding the threats new technologies adopted by IT will pose.He also noted evidence in the survey numbers that IT pros recognize ransomware is a problem. Three-quarters of respondents said they would support a law forbidding organizations from making ransom payments. (That’s up from 64 per cent in the 2021 survey).Among other troubling survey numbers pointed out to Ferguson, 64 per cent of respondents said they had to use their incident response plans in the past 12 months. At least they had an IR plan to use, Ferguson replied. (In fact 44 per cent of respondents said their firm has a comprehensive IR plan, with another 40 per cent saying they have a basic plan).Among other survey results:— of those who had been hit by a successful cyber attack, 29 per cent said their organization had lost revenue as a result of the incident, 22 per cent said they incurred repair or recovery costs and 36 per cent said it prevented staff from carrying out day-to-day work. But 38 per cent described the incident as minor;— 97 per cent of respondents said their organization conducts cybersecurity awareness training. That number has been over 90 per cent since 2020. But just under half of respondents said their organization makes training mandatory for all employees. The number has been growing over the past five years. This year it was 48 per cent of respondents;— the top three reasons cited by respondents who said their organization does no awareness training were: it has never been considered, it’s expensive and it’s time-consuming;— 57 per cent of respondents said their organization does training every quarter. Another 13 per cent said it’s done monthly;— organizations use a combination of in-house and third-party training materials. But only 43 per cent of respondents said their organization does phishing simulations;— 65 per cent of respondents believe their organization’s cybersecurity budget is sufficient to protect against cyber attacks;— 73 per cent of respondents said the budget allocated to IT and cybersecurity at their organization had increased in the past 12 months;— 37 per cent said their organization is using technology released before 2010. Another 20 per cent said they still have technology that might date back to 2000. Others said some of their technology goes back further;— 70 per cent of respondents said their IT staff has increased in the past 12 months.Asked what the report’s numbers say about the readiness of Canadian firms to face cyber attacks, Ferguson said, “There is no clear answer to that question. What the data certainly points to is a heightened awareness and an increased amount of engagement in cybersecurity-related services and support, which I think is definitely an improvement.”“But,” he added, “we have work to do to make sure the best option for organizations isn’t to pay a ransom. We got to get to a stage where everybody’s got that baseline level of cybersecurity hygiene and capabilities to prevent a ransomware payment from being an easy answer to their problem.”