" cybersecurity Archives - LuxSci

Posts Tagged ‘cybersecurity’

What Is Zero Trust Architecture?

Tuesday, June 22nd, 2021

In light of the increasingly sophisticated attacks against the US public and private sectors, the Biden Administration announced a push toward Zero Trust Architecture, amid other cybersecurity reforms.

The White House order was issued on May 12, and it included a host of measures aimed at improving the country’s resilience against cyberthreats. The announcement contained plans to remove barriers that block the sharing of threat information, as well as actions to modernize the Federal Government cybersecurity environment.

A key part of the order was a requirement for each agency head to develop a plan for Zero Trust Architecture implementation within 60 days of the announcement. This plan must incorporate the migration steps set out in the National Institute of Standards and Technology’s (NIST) guidelines. The White House order also stipulates that migrations to cloud technology “shall also adopt Zero Trust Architecture, as practicable.”

This announcement is likely to have major implications in the cybersecurity world. With the federal government moving to adopt Zero Trust Architecture, it’s likely that other industries will soon follow suit. It’s worth asking what this framework is and what it means in the context of your own security stance.

what is zero trust architecture

What Is Zero Trust Architecture?

Simply put, Zero Trust Architecture is a security model that assumes no place is safe from cyberthreats, even an organization’s own network. Let’s explain it by contrasting Zero Trust Architecture with other security models.

Under other designs, an organization’s network has a perimeter, and the entities inside it are considered secure. It’s much like the terminal at an airport. Once you have gone through the security checkpoint, you are presumed free from any weaponry that could endanger others or the facility. After going through the security, you can enter the food court, the gift shops, or the bathroom without having to verify your identity or go through a metal detector.

Under this type of security model, systems can communicate with each other within the network relatively freely. Users are deemed safe and given special privileges, because they are on the “secure” side of the firewall.

In contrast, Zero Trust Architecture accepts that bad actors may be inside the perimeter of the “secure” network. Recognizing this possibility, the Zero Trust security model involves making the secure perimeter as small as possible to minimize the potential for compromise. It also takes steps to continually evaluate actors that are inside the network for possible threats.

Overall, the goal of Zero Trust Architecture is to protect devices and data from malicious actors. It improves on other security models by enforcing more granular access controls, which helps limit the potential for unauthorized access.

Trust Zones

In Zero Trust Architecture, a trust zone is an area where those granted access are also granted access to other parts of the network. Returning to our airport analogy, everywhere beyond the security gates is a shared trust zone where you can move relatively freely.

When you go to board your plane, you must go through another security checkpoint into a smaller trust zone. The smaller a trust zone is, the less data and access to assets that it has. This helps to limit the potential damage that a bad actor can cause.

If a bad actor gained access to the terminal, they could harm everyone within the secure perimeter of the terminal. If the bad actor only had access to the plane, the potential harm would be much more limited (the analogy breaks down a little here, because someone with access to a plane would also have had access to the terminal, but you get the picture).

The Core Tenets of Zero Trust Architecture

In order to build a more secure environment while still offering usable services, Zero Trust Architecture focuses on:

  • Authorization: Only granting users access to the minimum level of data and services that are required to fulfill their role.
  • Authentication: Verifying the identity of authorized users through logins, keys, certificates, multi-factor authentication and other measures. This helps to protect from unauthorized access.
  • Limited trust zones: Making trust zones as small as possible to reduce potential impacts if compromised.
  • Availability: The above security measures are critical, but they need to be designed in a way that maintains availability. A service is useless if it is incredibly secure, but unavailable much of the time.
  • Minimized delays: The vetting processes are important, but authentication should be implemented in a way that doesn’t slow down access.

LuxSci and Zero Trust Alignment

LuxSci has long aligned its services with Zero Trust principles. Our Zero Trust-aligned features include:

  • Dedicated servers with virtualized sandboxing and dynamic per-customer micro-segmentation. We put each dedicated customer in its own trust zone.
  • Dynamic network and user access monitoring that can block suspected threats.
  • Granular access controls for users and systems that access customer data.
  • Encrypted email.

The Biden Administration’s push toward Zero Trust Architecture shows just how critical it is for protection in the current environment. Secure your organization by contacting us now to find out how it can get onboard with LuxSci’s Zero Trust-aligned services.

30th National HIPAA Summit Recap

Tuesday, March 30th, 2021

Last week, the LuxSci team attended the Virtual 30th National HIPAA Summit. The conference featured government and industry leaders who led sessions on updates to HIPAA rules, ongoing threats to cybersecurity, the impacts of remote work, and many other topics.

We can’t touch on every session that took place over the four days of the conference, but some of the most interesting updates came from the Office of Civil Rights (OCR) at Department of Health and Human Services. OCR is responsible for enforcing HIPAA, so as you would expect their sessions were of high interest to anyone responsible for compliance.

OCR UPDATES

At the start of the pandemic, OCR adopted enforcement discretion to allow health care organizations to quickly transition to virtual health care and remote work without fear of penalties. In January, OCR announced that enforcement discretion would also apply to Covid-19 vaccine scheduling. OCR will not impose penalties on those acting in “good faith” to create online or web-based scheduling applications for Covid-19 vaccine appointments. Nevertheless, this does not mean that covered entities are off the hook when it comes to HIPAA. It is recommended that they implement “reasonable safeguards” to protect PHI.

The Office of Civil Rights has also continued to penalize organizations for right of access violations. When most people think of HIPAA, they think of protecting private information through strict security policies. However, HIPAA stands for the Health Insurance Portability and Accountability Act. Portability means that patients have a right to access and transmit their information to other insurance or health care providers as they see fit. In recent years, OCR has increasingly penalized organizations for failing to respond to patient information requests in a timely manner. It is important for health care organizations to have secure offsite back-ups of patient information to prevent enforcement actions. It is challenging to find the right balance of security and patient access, but it is so important!

CYBERSECURITY THREATS     

Unsurprisingly, Covid-19 exposed organizations to new security risks as employees rapidly transitioned to remote work. Although the pandemic changed practically every aspect of our lives, phishing and ransomware remained two of the biggest security threats to health care providers. At the outset of the pandemic, many ransomware hackers voluntarily stopped targeting hospitals systems in a show of solidarity. However, the respite was temporary. As the value of health care data on the black market has continued to rise, ransomware attacks have surged.

Phishing also remains a primary attack vector for intruders. OCR reported that in the first two months of 2021, hacking/IT accounted for 71% of large health care breaches. According to OCR, most large breaches have occurred via email (39%) or network servers (32%). Phishing attacks increased so much over the last year that one conference speaker noted his organization considered turning off external emails. Though it is true that the only way to completely avoid hackers is to disable your systems, it is an unrealistic option for most businesses. To combat phishing, organizations need to train staff and have technology controls in place to prevent human error. If you have the right email filtering in place, you can prevent phishing emails from even reaching your employees’ inboxes.

REMOTE WORK- LEARNING FROM THE PANDEMIC

Shifting to remote work in early 2020 left organizations scrambling to create security policies and protect patient information. Not only did providers need to worry about preventing telehealth conversations from being overheard by their families, but they also needed to be conscious of a wide array of security issues including:

  • Securing their physical workspace and devices
  • Preventing data loss
  • Protecting notes from patient conversations
  • Using secure network connections
  • Letting children or partners use work devices

The number of security risks that remote work introduced were almost immeasurable. Organizations needed to act quickly to create new policies to protect patient data, while maintaining excellent standards of patient care. Time and time again, health care organizations that lacked basic cyber hygiene like unique logins, complex passwords, and device usage policies were the most at risk of a cyberattack or breach.

One year later, organizations are continuing to adapt their policies as much of the workforce remains remote. Many presenters expect at least some of their workforce to remain remote once the pandemic ends. Some organizations were surprised to discover the benefits of having a remote workforce. Rural hospitals are better able to attract talent when remote work is an option. Patients also benefitted from increased access to health care when telehealth was an option.

The HIPAA Summit was a wonderful reminder that if you don’t have procedures and policies in place to protect your patient data and communications, it’s only a matter of time before a breach occurs. Did you attend the HIPAA Summit? We would love to learn more about your challenges with Covid-19 and secure patient communications.

What Is Smishing And How Can You Avoid It?

Tuesday, March 9th, 2021

You are probably familiar with smishing, even if you aren’t quite sure what it’s called or the underlying details. We’ve all received strange SMS messages along the lines of:

  • We’ve noticed suspicious activity on your account. Visit scamsiteabc.com/kkjdkjh if you did not make any recent purchases.
  • Congratulations! You’ve won a $500 Best Buy gift card. Click the link to redeem your prize scamsitexyz.com/ljhkjsfds

Of course, both of these messages are really just scams. They are a type of phishing conducted over SMS, hence the name Smishing. These smishing messages can look real—that’s the point. They are designed to trick the recipients into thinking that they are legitimate. They lead the recipients through a number of steps that ultimately result in them handing over sensitive details, such as their login details or banking information.

smishing title card

How Does Smishing Work?

Scammers collect a bunch of phone numbers and send out smishing messages in bulk to unwitting victims. These messages often appear to come from respected organizations, such as the recipient’s bank, or a major retailer. The exact details of the messages vary, but they generally try to elicit a quick response before the recipient has a chance to question it.

Common examples include offering prizes that may excite recipients or a warning that someone has attacked their account. The message prompts the recipient to take some immediate action. These actions can include:

  • Clicking a link – This is probably the most common example. These links will take you to a website that looks legitimate, but the details will be slightly wrong. For example, instead of the real URL, yourbank.com, the scam site may actually be yourbamk.com. At a glance it looks the same, but the scam site has no relation to your bank.
  • Contact an email address – Much like in the above example, the address can seem real, but it may have subtle differences, such as customerservice@yourbamk.com, instead of customerservice@yourbank.com.
  • Call a phone number – The number will not actually belong to the company, but a scammer impersonating the organization’s call center.

When these messages succeed and trick the recipients into taking the next step, they will be funneled deeper along in the attack. The recipient may be pushed to download malware onto their device, which can end up spying on them and stealing their sensitive information.

The other main tactic is to manipulate recipients into handing over their login details or banking information. One technique is to fake a security breach and have users re-enter their password on a fake login page. Just like that, scammers can take control of your account.

Other tactics include asking the recipient to update their account details, or to confirm their security questions and answers. This can ultimately give attackers the information they need to take control of the account.

Smishing is used to directly target individuals, or as an attack vector for penetrating deeper into an organization. If a smishing attack fools an employee, it can give these scammers access to the company’s systems. From this foothold, they can escalate their privileges until they reach their ultimate goal. This could be stealing valuable data or even accessing the company’s finances.

How Can You Avoid Smishing?

Individuals can avoid smishing by always being skeptical of text messages that ask them to visit a link, to email someone, or to call a number. They should use caution if they do not know the sender, or if the message sounds too good to be true.

Recipients should always double check the URLs, email addresses, and phone numbers to make sure that they belong to the company. You can check your prior correspondence with the company, or do a web search of the details alongside the company name to confirm. Compare the details in the smishing message against the official ones from the company, making sure to look closely for misspellings.

You can also check potential phishing sites against this database to see if it has already been reported. If you can confirm it is a smishing message, all you have to do is ignore it to stay safe. Do not even click the link, because it could infect your device. If you aren’t sure, contact the company via its official channels to check whether or not it is a scam.

Many companies have a blanket policy that they will never contact you by text asking you to update your account. If this is the case and you receive such a message, you can easily disregard it as a scam.

How Can You Defend Your Customers From Smishing?

If your company would like to be able to send URLs in its text messages without also opening the door to scammers, you can use a service like LuxSci’s SecureText. You can alert your customers that the only text messages you send will take them to the SecureText portal. As long as they check that the URL for the portal is correct, they will be safe to click the link. They can disregard any other messages purporting to be from your organization, because these will be scams.

From the SecureText portal, the recipient can enter their details to gain access to the message. The protective features of LuxSci’s SecureText allow organizations to send sensitive information via SMS, all in a HIPAA-compliant manner. With SecureText and a proper warning strategy, you can help protect your recipients from being tricked by smishing scams that seem to come from your organization.

Why Should You Bother with Information Security? Isn’t Everything Hackable Anyway?

Thursday, June 1st, 2017

With the ever-increasing flow of large-scale hacks, many seem resigned to the fact that its only a matter of time before they get hit too. Security and its challenges have fully penetrated mainstream thought. Everyone knows that the CIA, the FBI, Russia, and even the hacker next door can break into your computer or phone, hijack your router, intercept your traffic, and take over your life.

In response, there has been a huge cry for better training, more secure software, secure email and secure texting. Basically, security everywhere. But if the hackers and agencies are really this powerful, why should you bother?

Cynbersecurity

Are security services and products worth anything these days? Do they actually provide any protection? Or are they the emperor’s new bullet-proof-vest? It is surprising how many people have come to accept a complete lack of security. Some seem to use this as an excuse to avoid technologies that could benefit both their personal and business lives.

A great example comes from a dentist who was interested in sending notices to his patients via text, but resigned himself to “not bothering” as there is “no way to secure these things, anyway.” While that may be true in an absolute sense, it is not true practically.

In this article we will examine the reasons why we should bother with security and how it can help us in our personal and business lives.

Read the rest of this post »

LUXSCI