The Hidden Cybersecurity Threat in Organizations: Nonfederated Applications

Nonfederated applications pose an unseen and severe threat because in most organizations there is a lack of visibility into who has access to what and how accounts are secured. Sponsored by Cerby, Ponemon Institute surveyed 595 IT and IT security practitioners in the United States who are involved in their organization’s identity and access management strategy. The study aims to determine organization’s level of understanding of the risks created by nonfederated applications and the steps that can be taken to mitigate the risk.

(Click here to download the full report immediately from Cerby’s website.)

A key takeaway from the research is that organizations don’t know what they don’t know when it comes to nonfederated applications. Less than half (49 percent) of organizations track the number of nonfederated applications they have that are not managed and accessed by their identity provider. Of those respondents who track nonfederated applications, 23 percent say they have between 101 to 250. The average number is 96. Despite efforts to have an accurate inventory, only 21 percent of these respondents are highly confident that they know all the nonfederated applications used throughout the enterprise.

Nonfederated applications are risky because they cannot be centrally managed using the organizations’ IdP, (59 percent of respondents). Fifty-one percent of respondents say they are risky because they do not support industry identity and security standards such as Security Assertion Markup Language (SAML) for single sign-on or System for Cross-domain Identity Management (SCIM) for the user onboarding and offboarding process.  As defined in this research, nonfederated applications lack support for the security standards organizations need to manage at scale. In the cloud and on-premises, these applications do not support common industry security standards.

NOTE: An IdP is a service that stores and manages digital identities. The use of an IdP can simplify the process of managing user identities and access, as it allows users to use a single set of credentials across multiple systems and applications. Many organizations use IdPs to manage user access to internal and external systems, such as cloud-based applications or partner networks.

The following findings are evidence of the risk posed by nonfederated applications. 

  • The cost and time of provisioning and deprovisioning access to applications quickly adds up. Before analyzing the risks, it is important to understand the costs. Seven hours is the average time spent provisioning access to a standard set of applications for one employee. At an average $62.50 hourly pay rate the cost is $437.50 per employee. To deprovision one employee takes an average of 8 hours costing $500 per employee. Organizations can use this benchmark to calculate the process’s impact based on the annual turnover in employees and contractors.
  • Salaries also need to be considered. An average of 8 people are involved in the provisioning and deprovisioning process in addition to their other responsibilities. The average annual salary per staff member is $81,000. Consequently, the total annual staff cost amounts to $648,000, with a significant portion allocated to the time-consuming manual work of provisioning and deprovisioning, which could be better utilized elsewhere.
  •  The total average annual cost to investigate and remediate cybersecurity incidents involving nonfederated applications is $292,500. This is based on 47 hours each week or 2,444 annually to investigate potential unauthorized access and 43 hours weekly, or 2,236 annually, to investigate and remediate cybersecurity incidents caused by unauthorized access to nonfederated applications.
  • Nonfederated applications are represented across all application categories and are not limited to a single business unit. As discussed previously, only 49 percent of organizations are tracking the use of nonfederated applications. Only 21 percent of these respondents say their organizations are confident in knowing all the nonfederated applications being used. Nonfederated application use across business units underscores the difficulty in managing them.
  • Fifty-two percent of respondents say their organizations have experienced a cybersecurity incident caused by the inability to secure nonfederated applications. Sixty-three percent of these respondents say their organizations had a minimum of 4 and more than 5 incidents. Loss of customers and business partners are the primary consequences of a cybersecurity incident caused by the inability to secure nonfederated applications, according to 43 percent and 36 percent of respondents respectively.
  • Security and identity teams are often left out of managing and manually controlling access to nonfederated applications. According to the research, shared management of nonfederated applications leads to a decentralized approach. Business units (63 percent of respondents) are most likely to manage these applications followed by IT teams (54 percent of respondents). Only 45 percent of respondents say the security and/or identity teams are responsible for managing these applications. Moreover, 54 percent of respondents say the granting and revoking of access are controlled by business units.
  • Organizations are using inefficient manual processes to grant and revoke access to applications. An average of 84 applications in organizations represented in this research require an admin to manually log in to add, remove or update access, meaning the application doesn’t support SCIM and the organization cannot leverage automation through its IdP. The primary reasons for not automating the process are SCIM is not supported (33 percent of respondents) and the cost (31 percent of respondents).
  • Organizations rely upon business units to report their use of nonfederated applications. While there are several methods used to collect information about current nonfederated applications, business units are most likely to self-report their use of nonfederated applications (62 percent of respondents) followed by the use of a cloud access security broker (CASB) (48 percent of respondents) and endpoint detection tools (47 percent of respondents). Only 39 percent of respondents say business units complete a form to confirm the nonfederated applications used.
  • An average of more than half of tracked nonfederated applications do not support single sign-on (SSO). As discussed previously, there is an average of 96 nonfederated applications in organizations that track their use and respondents estimate that an average of 50 of these do not support SSO. As described in the research, the benefit of SSO is that it permits a user to have one set of login credentials—for example a username and password to access multiple applications. Thus, SSO eases the management of multiple credentials.
  • Organizations lack an effective process to prevent employees from putting data in nonfederated applications at risk. Few organizations report that they are effective in preventing employees’ reuse of passwords, retaining access to critical systems after they leave or change roles and preventing the disabling of MFA.
  • There is a desire to prioritize nonfederated application security, but the risk is underestimated due to a lack of awareness. While only 34 percent of respondents say their organizations do not make the security of nonfederated applications a priority, 44 percent of respondents say management underestimates the cybersecurity risks. When educated on the risks, 82 percent of respondents say the importance of securing nonfederated applications increased.
  • Employees are sharing their account login credentials, making it critical to have the proper security safeguards in place. Seventy-six percent of respondents say employees are sharing account login credentials with both employees and external collaborators (35 percent), sharing account login credentials with other employees (21 percent) and sharing with external collaborators (20 percent).
  • Exposing, failing to rotate passwords and being unable to track who is accessing a shared account are top security concerns. Forty-one percent of respondents say employees or collaborators share accounts without concealing the password and another 41 percent say passwords are not rotated. Reused or weak credentials also create risk (36 percent of respondents).
  • Organizations are not able to reduce the cybersecurity risks caused by shared accounts. Half of respondents (50 percent) say their organizations’ access management strategy enables employees to share login credentials securely when required by the application. However, only 27 percent of respondents say their organizations are very or highly effective in reducing cybersecurity risks from shared accounts. Of those respondents (73 percent) who rank their organization’s effectiveness as low, 56 percent are motivated to reduce the cybersecurity risk.
  • Organizations lack processes and policies to make nonfederated applications secure. Only 41 percent of respondents have a process to make nonfederated applications secure and compliant with their organizations’ policies and only 35 percent of respondents say they have a policy that prevents the trial use of new nonfederated applications. Thirty-nine percent of respondents say the use of nonfederated applications is limited. As shown in this research, organizations do not like to limit the use of nonfederated applications because it can affect employee morale and productivity.
  • The challenge for organizations is that they don’t know what they don’t know. The top two challenges to securing nonfederated applications is the inability to know and manage all nonfederated applications because of the lack of visibility and not having an accurate inventory. This is followed by the inefficient use of manual processes to secure nonfederated applications. Budget and in-house expertise are not considered as much a challenge.
  • Most organizations do not follow up to ensure password and MFA policies adherence. Fifty-seven percent of respondents say employees are required and reminded to turn on MFA and about half (48 percent of respondents) say employees are required and reminded to rotate passwords regularly. However, only 40 percent of respondents say they follow up with every account to make sure MFA is turned on and passwords are rotated in accordance with their policies.

 To read the full report, visit the Cerby website.

Rules for Whistleblowers: a Handbook for Doing What’s Right

Bob Sullivan

Ever see something at work that you just knew wasn’t right, but felt like there was nothing you could do? Maybe there is something you can do. And maybe you can do it … anonymously.

When whistleblower Francis Haugen came forward and testified before Congress about what she thought was going wrong inside Facebook, she changed big tech forever. Or did she?

I recently talked about this with Stephen Kohn, author of the book, Rules for Whistleblowers, A Handbook for Doing What’s Right. He’s also one of the nation’s leading whistleblower attorneys. We discussed the lasting impact Haugen did (or didn’t) have on the tech industry. But more important, he offered a roadmap for people who work in tech to come forward if they think something terribly wrong is happening at their company. And he explained how workers can do this without putting their livelihoods at risk.

“What we’ve seen is for every one whistleblower who’s willing to go public and really risk a lot, there’s a thousand who would go non-public and provide supporting information,” he said to me on the Duke Debugger podcast that I host. But those who go public often get “crushed” by well-funded legal teams.

“That’s why Congress in 2010 with the Dodd-Frank Act created these… what I call super anonymity laws. When I discussed those with the Senate banking committee, when the law was being debated …  I’ll never forget it, the Senate staffer said to me, ‘Steve, if Wall Street knows who you are, you will be crushed no matter what, and your career will be destroyed. You know, we have to create procedures to prevent that.’ And I said, ‘Hallelujah!’ ”

Whistleblowers can come forward without making a big public display, and in fact, government investigators often prefer that, he said.

“Anonymous means you don’t have to set your hair on fire. You don’t have to burn your bridges,” he said. “And the government wants you to stay working in the company so you can provide additional information about violations. Once you have filed, sometimes the government agencies will share your information or you’re aware of other agencies that might be interested, and  … say, tell the SEC to share your information. So it begins a process. The bottom line is these laws make it easier to do the right thing to report misconduct and not necessarily lose your job and career.”

Provisions in the Dodd-Frank bill have changed the nature of whistleblowing and they include large financial incentives.

“The SEC alone has paid whistleblowers about $1.5 billion in rewards, and in almost every one of those cases, no one even knows who the whistleblower is. They don’t receive big press reports. It’s almost all under the radar,” Kohnm said.

Readers can listen to the entire interview, or read a transcript, at this site.  Kohn’s book is called  Rules for Whistleblowers, A Handbook for Doing What’s Right and will be available at  National Whistleblower Center and bookstores on June 1

The data is in the cloud, but who’s in control?

Ponemon Institute is pleased to present the findings of the 2022 Global Encryption Trends Study, sponsored by Entrust. We surveyed 6,264 individuals across multiple industry sectors in 17 countries/regions – Australia, Brazil, France, Germany, Hong Kong, Japan, Mexico, the Middle East (which is a combination of the respondents located in Saudi Arabia and the United Arab Emirates),2 Netherlands, the Russian Federation, Spain, Southeast Asia, South Korea, Sweden, Taiwan, the United Kingdom, and the United States.

The purpose of this research is to examine how the use of encryption has evolved over the past 17 years and the impact of this technology on the security posture of organizations. The first encryption trends study was conducted in 2005 for a U.S. sample of respondents. Since then we have expanded the scope of the research to include respondents in all regions of the world.

Organizations with an overall encryption strategy increased significantly since last year. Since 2016 the deployment of an overall encryption strategy has steadily increased. This year, 62% of respondents say their organizations have an overall encryption plan that is applied consistently across the entire enterprise, a significant increase from last year. Only 22% of respondents say they have a limited encryption plan or strategy that is applied to certain applications and data types, a significant decrease from last year. The average annual global budget for IT security is $24 million per organization. The countries with the highest average annual budgets are the U.S. ($41 million) and Germany ($28 million).

Following are findings from this year’s research

Enterprise-wide encryption strategies have continued to increase. Since conducting this study 17 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. In this year’s study, 61% of respondents rate the level of their senior leaders’ support for an enterprise-wide encryption strategy as significant or very significant.

Certain countries/regions have more mature encryption strategies. The prevalence of an enterprise encryption strategy varies among the countries/regions represented in this research. The highest prevalence of an enterprise encryption strategy is reported in the United States, the Netherlands, and Germany. Although respondents in the Russian Federation and Brazil report the lowest adoption of an enterprise encryption strategy, since last year it has increased significantly. The global average of adoption is 62% of organizations represented in this research.

Globally, the IT operations function is the most influential in framing the organization’s encryption strategy. However, in the United States the lines of business are more influential. IT operations are most influential in the Netherlands, Spain, France, Southeast Asia and the United Kingdom.

The use of encryption has increased in most industries. Results suggest a steady increase in most of the 13 industry sectors represented in this research. The most significant increases in extensive encryption usage occur in manufacturing, energy & utilities and the public sector

Employee mistakes continue to be the most significant threats to sensitive data. In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests.

Most organizations have suffered at least one data breach. Seventy-two percent of organizations report having experienced at least one data breach. Twenty-four percent say they have never experienced a breach and 5% are unsure.

The main driver for encryption is the protection of customers’ personal information.
Organizations are using encryption to protect customers’ personal information (53% of respondents), to protect information against specific, identified threats (50% of respondents), and the protection of enterprise intellectual property (48% of respondents)

A barrier to a successful encryption strategy is the inability to discover where sensitive data resides in the organization. Fifty-five percent of respondents say discovering where sensitive data resides in the organization is the number one challenge and 32% of respondents say budget constraints is a barrier. Thirty percent of all respondents cite initially deploying encryption technology as a significant challenge.

No single encryption technology dominates in organizations. Organizations have very diverse needs for encryption. In this year’s research, backup and archives, internet communications, databases, and internal networks are most likely to be deployed. For the fifth year, the study tracked the deployment of the encryption of Internet of Things (IoT) devices and platforms. Sixty-three percent of respondents say IoT platforms have been at least partially encrypted and 64% of respondents say encryption of IoT devices has been at least partially deployed.

Certain encryption features are considered more critical than others. According to the
consolidated findings, system performance and latency, management of keys, and enforcement
of policy are the three most important encryption features.

Intellectual property, employee/HR data, and financial records are most likely to be
encrypted. The least likely data type to be encrypted is health-related information and
non-financial information, which is a surprising result given the sensitivity of health information.

To read the rest of this report, and find out how organizations are using encryption to protect data and workloads across multiple cloud platforms, visit Entrusty’s website at this link.

Dealing with Twitter’s 2FA downgrade? Don’t make this mistake

Bob Sullivan

Twitter has followed through with its half-baked plan to turn off two-factor authentication for (millions of?) non-paying users, leaving them half-naked to the vast criminal underground. If that’s you, you’re looking at not-very-good choices right now, but doing nothing might be the worst of all. I’m seeing reports of people getting hacked almost immediately, which you would expect, given the long lead time criminals have had to prepare for this day when many accounts would suddenly be one password away from compromise.

The only practical answer for most people who wish to continue to use Twitter without paying for SMS security is to enable a free token generator tool like Google Authenticator. I recommend you do that, too, rather than remain out there half-naked. Twitter has haphazardly implemented this massive security change in the most unprofessional and ineffective way, putting all the onus on users — messages this week even tell users “you’ve turned off two-factor authentication,” which is quite an abuse of the English language. It would be understandable, even responsible, for these users to rush into installation of an authenticator. But take please heed of the advice I’m about to give or else, I promise, sometime in the next 10-500 days you’re going to have a Hellish time recovering from loss of access to your account.

 

In short, if you lose your phone, or it’s damaged, or you lose access to that authentication code for any reason, you may very well lose your Twitter account forever. The only thing standing between you and that very frustrating day would be a massive increase in Twitter customer service spending, and I can just about promise you, that’s not happening.

Many authentication tools have a big implementation flaw: they don’t have a user-friendly failover plan. This is because tokens have a damned-if-you-do-and-damned-if-you-don’t quality. Google Authenticator does NOT allow you to create backups. Why? Backups could be accessed by hackers, rendering the entire security protocol insecure.

You’ve seen, and used, the “forgot your password?” link many times. It’s a way of dealing with perhaps the most common roadblock on the Internet — users are told not to re-use passwords, so they forget all these newfangled passwords they use. They’re told to use password managers (a good idea!) but then they lose access to that manager or something else goes wrong. No worries: ‘Forgot your password’ usually fixes things quickly. But it’s also the weakest link in many security implementations (Here’s my 15-year-old story about that!). Criminals with just an email address can request a password reset using ‘forgot your password,’ so it creates quite a dilemma for tech companies — how do you service forgetful users without making things easy for criminals?

Authenticator implementations go a new route, effectively eliminating the customer service part of this risk equation.

If you can’t access Google Authenticator…you can’t log in. You can’t write to the app or website and ask for a new authentication code the way you use “forgot your password.” You are…just stuck. If your phone is stolen, you can’t generate the code you need to log in. Period. As I described in my story about recovering Rusty’s Instagram account, you may very well be in for months of frustration trying to recover your account some other way. Some other way, like this “prison photo” I had to take of myself.

Unless you’ve prepared ahead of time. Many sites which use authenticators create their own backup systems — often, one-time codes that the app generates which can be used as a kind of get-out-of-jail-free card. Twitter, at the moment, lets you generate one such code. To find it, for now, go to “Security and Account Access” then “Security” then “Two Factor Authentication” then “Backup Codes.” Then — and this is CRITICAL — take a screenshot of that code or write it down and put it someplace you’ll remember for the inevitable day that you’ll need it.

WARNING: YOU CANNOT GENERATE THIS CODE AFTER YOU’VE LOST ACCESS TO YOUR ACCOUNT!! You MUST take this step RIGHT NOW, as soon as you implement an authenticator app.

As you re-read that section of this story, I’m sure you’ll see this as I do. There’s about a zillion ways human beings can get this step wrong, and will get this wrong. I predict Twitter will relatively soon be overwhelmed with account recovery requests that it cannot handle. That’s precisely what happened to Instagram/Facebook with authenticator tools. Desperate Instagram users write to me every day trying to regain access to their accounts. I predict this is going to be a far bigger issue for Twitter than account hacking.

For what it’s worth, in Instagram’s case, I believed I *had* copied the backup codes (three years prior) when I turned on 2FA after a hacking attempt from Russia; the codes I had didn’t work. So I think it’s quite possible consumers who don’t create backup codes, or don’t copy them down, or can’t find them the day they need them, aren’t the only potential pitfall of this system.

Meanwhile, if you are thinking, “I’m supposed to write down a secret code on a post-it note and leave it where I can find it as a login procedure? Isn’t that what they told me NOT to do 30 years ago?” you aren’t alone.

To be sure, there are *better* ways to implement an authenticator-based two-factor system. After my phone was stolen, Substack had me fill out a form and I engaged with a customer service representative over email who verified my identity manually. That worked just fine within a day or so. Twitter could, in theory, do this. It won’t. It will be too expensive. Far more expensive than the cost of those pesky SMS text messages that Elon just turned off out of spite and desperate penny-pinching.

Were the implementation responsible and well-planned, I would cheer for the end of SMS-based authentication. It’s not particularly safe, though it is far, far safer than password alone. Switching to a “something you have” model is truly a good long-term goal. But turning off two-factor en masse is crazy, as is hurtling a bunch of unprepared people into token-based authentication world.

BOTTOM LINE: If your two-factor authentication setup has been turned off by Twitter, take 10 minutes to turn it on now, but DON’T sprint past the backup method. I wish I could give you universal instructions to do this. I can’t, really. Everyone’s setup and needs are different. Just ask yourself: What would I do if I lost my phone? For a little more help, here’s a good CNET story about the right way to turn on authenticator on an up-to-date iPhone.

Also, there are alternatives to backup-limited tools like Google Authenticator. Microsoft Authenticator backs up accounts in the cloud — i.e., if you lose access to your phone, you can re-download the authentication generator. I have not used it so I cannot recommend it. Twitter also recommends Authy, Duo Mobile, and 1Password; each of them have their own backup options and quirks. I’ve linked to their backup explainer pages. But whatever you do, don’t just add an authentication app today and move on. You’ll regret it.

 

The state of supply chain risk in healthcare

Ponemon Institute in collaboration with the Healthcare Sector Coordinating Council conducted a study on the cybersecurity challenges facing the healthcare sector. More than 400 IT and IT security practitioners were surveyed who are involved in their organizations’ supply chain risk management program (SCRM) and familiar with their cybersecurity plans or programs.

 A key takeaway is that risks to patients caused by new suppliers are not being evaluated by many healthcare organizations. Only half (50 percent) of respondents say their organizations evaluate the risks impacting patient care outcomes created by new suppliers’ products. Sixty percent of respondents say new suppliers are evaluated to understand if there would be adverse patient outcomes created by these organizations. According to the research, pre-existing and legacy suppliers are more likely to be included in the organizational SCRM.

(The Healthcare and Public Sector Coordinating Council (HSCC) is a coalition of private-sector, critical healthcare infrastructure entities organized under Presidential Policy Directive 21 and the National Infrastructure Protection Plan to partner with government in the identification and mitigation of strategic threats and vulnerabilities facing the sector’s ability to deliver services and assets to the public.)

The following findings reveal why the supply chain is vulnerable to a cyberattack.

Most organizations are in the dark about potential risks created by suppliers. Only 19 percent of respondents say their organizations have a complete inventory of their suppliers of physical goods, business-critical services and/or third-party information technology.

Business-critical suppliers are not regularly evaluated for their security practices. Forty-four percent of respondents say security evaluations are conducted of those suppliers who are business-critical on an ad-hoc basis (24 percent) or only when a security incident occurs (20 percent).

Most organizations are not assessing suppliers’ software and technology. Only 43 percent of respondents say their SCRM program assesses the integrity/provenance of suppliers’ software and technology. Forty-three percent of respondents say their organizations will accept certifications such as PCI-DSS, ISO-27001 in lieu of the usual assessment/attestation process for suppliers.

Pre-existing suppliers and not new suppliers are more likely to be included in the scope of an organization’s SCRM. Fifty-four percent of respondents say pre-existing suppliers that have been on-boarded before the establishment of the program are primarily included in the SCRM process. Only 46 percent of respondents say new suppliers are included.

Rarely are suppliers categorized based on their connectivity or network access to the healthcare organization. Only about half (53 percent of respondents) say their organizations categorize suppliers as part of the SCRM program. Of these, 43 percent of respondents say categorization is based on the nature of the products or services and 40 percent of respondents say it is based on the data shared with these suppliers. Only 10 percent of respondents say it is based on connectivity or network access.

There is a lack of integration between procurement and/or contracting departments and the SCRM process that could affect the ability of contracts to ensure the security of the supply chain. Only 41 percent of respondents say the procurement and/or contracting departments are integrated with their organization’s SCRM process. Only 25 percent of respondents say their organizations always add supplier remediations into their contracts if needed.

The lack of standardized language in security contracts and supply chain issues is a deterrent to an effective SCRM program. In addition to the lack of standardized security contractual language in contracts (59 percent of respondents), healthcare SCRM programs are affected by problems with the supply chain. These problems include challenges identifying critical suppliers as the supplier relationship evolves over time (49 percent of respondents), lack of risk tiering of suppliers (49 percent of respondents) and lack of supplier incident or vulnerability notification (45 percent of respondents)

Healthcare organizations face the challenge of having the in-house expertise and senior leadership support needed to have a successful SCRM program. Respondents were asked to select the reasons for not having an effective SCRM program. Fifty-nine percent of respondents say it is the lack of in-house expertise and 55 percent of respondents say it is a lack of senior leadership support.

A lack of cooperation from suppliers and employees is the primary people-related impediment to a successful SCRM program. Fifty-four percent of respondents say the lack of cooperation from suppliers and 43 percent of respondents say it is the lack of inter-departmental cooperation that stands in the way of having an effective program.

Controlling the sprawl of software usage is the number one technology-related impediment to achieving an effective SCRM program. A barrier to an effective SCRM program is managing the sprawl of software usage (i.e., applications, components and cloud services), according to 55 percent of respondents. This is followed by the prompt delivery of software patches from third parties for required upgrades (45 percent of respondents) and the lack of visibility into the cloud environment used by third parties (44 percent of respondents).

To address the supply chain risks discussed above, healthcare organizations are making the following activities a priority.

Improvement of supply chain management is a priority. Sixty-seven percent of respondents say their organizations’ top priority is implementing tools for supplier inventory management. This is followed by 63 percent of respondents who say their organizations will be implementing tools for assessment automation and 45 percent of respondents say their organizations will hire consultants for program and process definition.

Business goals for SCRM are the cost, product quality and the supply chain. Respondents were asked to identify the business goals driving the SCRM program. Fifty-nine percent of respondents say their organizations are prioritizing the impact to cost, performance, timing and availability of goods followed by 56 percent of respondents who say it is to minimize the impact of product quality. Almost half (48 percent of respondents) say it is to understand and improve cyber-resiliency of their supply chain.

Organizations are focused on tracking direct suppliers and products/services electronically (43 percent of respondents). Other top priorities are to have redundancy across critical suppliers and increase reassessments of suppliers, 36 percent and 32 percent of respondents respectively.

To read the rest of this study, please visit this link at HealthSectorCouncil.org 

Is Alexa getting between you and your partner?

Bob Sullivan

Filling your home with smart gadgets comes with plenty of risks —  your TV might watch you, an angry partner or roommate might spy on you, or they might rob you of mental acuity, for example. These are big, scary threats that you probably think about, then forget about, every time you bring a new WiFi-enabled crock pot into your home.

But tech has smaller, more “everyday” impacts on us, too. If you are constantly asking Alexa for the temperature, does that mean you are losing a chance to chat with a family member? What if one partner loves to geek out, but the other doesn’t want to talk to the lights and the garage door — does that set up a subtle power imbalance that could contribute to domestic strife at some point?  Maybe Amazon Dots make it easy to tell the children it’s dinner time — easier than yelling up the stairs — but is going the Star Trek “comm” route really healthy for families?

Duke University professor Pardis Emami-Naemi has been thinking about these things for a while, and I was glad (and a bit amused) to read this paper she co-authored recently.  It’s cleverly titled You, Me, and IoT.    I interviewed her for an upcoming “Debugger in 10” podcast (more on that soon) but couldn’t help chatting with her about these small, often overlooked, unintended consequences of technology. (Disclosure: I work at Duke, too)

I know I have a bad habit of looking for broken things; don’t worry, Emami-Naemi takes a highly academic approach in the paper and her team found plenty of relational benefits to smart homes.  Here’s a fascinating list of the good gadgets can do, with some comments cribbed from study participants:

Bonding over tech
“Smart devices make it easier to share music with my siblings, like smart speakers for example. Instead of having to pass someone’s phone or rely on one person connected, we can just tell it to play a song and boom.”
Inter-generational kindness
“We’ve got an Apple TV and my father almost cried because he said he was really curious about [the device] and streaming television, but he felt too out of the loop and overwhelmed to try another giant leap in technology. And he was overjoyed…to have my boyfriend help out with setting it up.”
Enabling communication
*My mother was sick…and before she passed away, it was tougher and tougher for her to use the phone…So what I did was I got an Alexa and I installed it in the house, and then I could just call her and rather than her having to figure out how to answer the phone, she could just hear my voice in the ether.”
Encouraging playfulness
“The main joy that I get from Alexa is overhearing my boyfriend ask her ridiculous things just to see like if she’ll respond, how she’ll respond.”
Easing Household task tension

*With the smart thermostat, we don’t argue about the temp of the house because it’s automatically set…With the doorbells, we don’t have to argue or wonder if it was locked. We can just look on the app…
*We don’t have to nag each other to get up and do something. We can ask the device to do it for us.”
*My partner and I use Amazon Echo to set reminders for each other, which helps with making sure we are both on the same page with groceries and chores.
Enabling independence
“My wife can now just ask the Google Home for the weather instead of assuming I know what the weather is.”

That last one there caught my attention. I once had a therapist explain to me that small, seemingly annoying requests like, “Can you bring me the newspaper?” can actually be a love language. Hear that question as, “Do you care about me enough to get me the paper?” or even just, “I want to connect in a small way right now” and you hear something very different. So: Do we really want Google Home to sweep away all these small chances to reach out?

Which brings me to the other side of the smart gadget relationship impact discussion: Tech-amplified tensions, which the authors tend to call “multi-user tensions.”  Afte all, we are used to using gadgets as solitary experiences.  Many smart gadgets are social, so that leads to group dynamics, which can lead to tensions. They fit three categories, the authors say: device selection and installation, regular device usage, and when things go wrong. Some examples:

When tech fails us
*”My husband is not as tech savvy as me and gets irritated with me when I can get a device to do something he can’t.”
*”My parents sometimes want things fixed that are beyond my control. We sometimes disagree about what products to purchase and how they would perform on our network.”

Who’s in charge?
*Our young children “fight” over talking to Alexa. They use Alexa to play songs and will cancel the other one’s music, or ask her to repeat them and use her to insult one another.”

Not everyone is an early adopter
“My husband added smart bulbs and taped over all the light switches and switched us over to using Alexa to turn on and off the lights. I don’t like it because there are times when my young children fall asleep and I want to turn off the lights silently instead of using my voice. My children don’t like it because their pronunciation is not clear and Alexa cannot understand them sometimes when they want the lights on or off. We have argued about it a couple of times but it has been made clear that his excitement for a smart home outweighs the desires of me and our two kids, so now I just deal with it and try to help my kids as much as possible.

Weaponizing gadgets
*Any time that we try to have a conversation about not using our phones or anything like that, the biggest thing is that mostly my fiance, he turns on Alexa and asks her to play a song and at a really high volume so he can’t hear me talk anymore.

Obviously, I think a therapist would have a lot to say about those last two comments. Blaming those issues on tech is probably – misplaced.  And to be fair, I’ve omitted some of the more high-stakes and beautiful ways that smart tech helps families.  Like this:

“My youngest son is actually autistic, but he’s very inquisitive in nature and asks me the most intelligent but random questions that we can never really answer. So it’s always like “Go ask Alexa”…It’s almost like having a teacher or an encyclopedia like right on hand at all times, and for his way of living that’s just really helpful for him.”

Still, while we are rightly focused on the high-stakes ways that tech can endanger us – by enabling stalkers and violence — we should not overlook the small ways gadgets change our lives. I think it’s incredibly important to notice and discuss, and I hope to read more for Pardis & Co. on this.

Do any of you care to share the small ways tech has hurt — or helped — your sense of domestic tranquillity?

The State of Zero-Trust Architecture in Organizations

A zero-trust architecture aims to move defenses from static, networked-based perimeters to users, assets, and resources. Sponsored by Converge Technology Solutions Corp. and Check Point Software Technologies, Ponemon Institute conducted research to determine the status of zero-trust adoption in organizations. According to the research, 48 percent of respondents believe traditional perimeter-based security solutions such as VPNs, next-gen firewalls, and network access control (NAC) products are ineffective at securing distributed hybrid cloud infrastructures.

The research shows that zero-trust architecture improves the ability to manage vulnerabilities and user access. Unlike VPNs which permit secure access to an entire network, zero trust segments access and limits user permissions to specific applications and services. Zero trust assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership.

Ponemon Institute surveyed 694 IT and IT security, including cybersecurity practitioners, in the United States who are familiar with their organizations’ zero-trust strategy. As part of the screening process, practitioners invited to complete the survey were asked if their organizations had adopted a zero-trust strategy. Thirty-one percent of these practitioners whose organizations did not adopt zero trust were excluded from the research. The two primary reasons for these organizations not adopting zero trust are that the value is not understood (40 percent) or there is no executive buy-in (33 percent).

Respondents were asked to rate the effectiveness of their security practices before implementation and following implementation to determine the value of zero trust to organizations.

The following findings reveal the value of a zero-trust strategy 

  • Zero-trust architecture improves vulnerability management because it segments access and limits user permissions to specific applications and services. The primary reasons for adopting zero-trust network architecture are: reducing connectivity issues; improving user experience; reducing difficulty in setting up, deploying, enrolling new users; and decommissioning departing users.
  • Zero trust is considered to improve security practices. As a result, zero trust is regarded as important or very important in ensuring customer trust and retention.
  • Controlling access is a critical objective of zero-trust architecture. Zero trust ensures attackers who gain access to users’ accounts can only access their specific tools and services and nothing else. Identity and access management and authorization are the primary components of a zero-trust architecture. Some organizations use behavioral analytics and threat intelligence to improve asset security.
  • Identity management and authorization policies are important components in zero-trust security models. As shown in the research, the primary components of a zero-trust strategy are a single strong source of identity for users and non-person entities (NPEs) and authorization policies around application or resource access
  • Zero trust is believed to reduce attacker “dwell time” in the network. Respondents also say zero trust is very or highly effective in eliminating all lateral movement between users and servers because users are isolated from the corporate network. Zero trust is also considered highly effective in authenticating, authorizing, and inspecting all traffic flow at all times to ensure malware and attacks don’t sneak in accidentally or maliciously.

According to the research, the following are steps to take to achieve a mature zero-trust strategy 

  • Gain the support of senior leadership by regularly informing them about the effectiveness of the zero-trust program as measured by key performance indicators (KPIs). Such support can make the implementation of a zero-trust strategy more of a priority and, as a result, secure the necessary resources such as budget and in-house expertise.
  • Quantify and track the benefits of zero trust. The top three metrics used by organizations represented in this study measure the reduction in the number of data breach incidents, the reduction in the number of known vulnerabilities and reduction in the number of threats.
  • Identify existing security technologies that can be both cost-effective and aligned with the zero-trust strategy. Prioritize what new security technologies are needed as part of the organization’s zero trust implementation. A significant obstacle to achieving a strong zero-trust security posture is the continued use of legacy technologies.
  • Other obstacles to successfully implementing a zero-trust strategy include the lack of in-house expertise and budget. According to the research, the average annual IT security budget is $32 million, with an average of $2.4 million dedicated to organizations’ zero-trust strategy.

To read the report’s full findings, please visit CBISecure.com at this link

 

Why are state governments starting to ban TikTok?

Bob Sullivan

North Carolina recently joined a growing list of states – more than 20 now — that have banned social media app TikTok from government-issued devices.  Gov. Roy Cooper issued an executive order after two state legislators threatened to pass a law enacting such a ban.

Duke University professor Ken Rogerson, from the Sanford School of Public Policy, joined me recently to explain what’s going on.  Here is a lightly edited version of our conversation, recorded for the Duke University Debugger podcast that I host..

Ken Rogerson: I think they’re taking a cue from the federal level proposals that are asking for the same thing. If you remember Bob, during the Trump administration, TikTok was banned entirely by an executive order for a little while.

Then it was rescinded by the Biden administration. And there’s another proposal even for that at the federal level to ban TikTok in the United States entirely. But there’s another proposal that I think maybe has a little bit of teeth — that’s to ban it at the federal level from any device that is federally distributed or given to an employee as part of their job.

And so I think they’re taking the cue from that federal-level proposal. But there are also some states that have already done this. Oklahoma, Nebraska,  have already done this at the state level through either executive orders or through legislative action of banning TikTok at that level.

So they’re not the first to do that, but, but they are certainly quite adamant and intense about trying to do this at North in North Carolina as well.

Bob: There certainly is a lot of discussion about TikTok lately, but what is the actual concern for legislators at the federal and state level about TikTok and government devices?

Ken Rogerson

Ken Rogerson: Well, Bob, I think the concern is twofold. The first is a broader concern about the level of our personal information privacy on our devices. And, and that’s something that I applaud. I think it’s really great to be asking these kinds of questions and be worrying about how well our personal information is protected.

And as a subset of that, we are so interconnected. I’m not sure that a work phone is only a work phone anymore. We often use our work devices for personal things and our personal devices for work things. And so there’s an overlap there. And so there is a concern about access to personal information and the protection of information.

But in this particular case, it also seems that there’s a concern about China itself now. W can go back to the Cold War and there was … I’m a political scientist and hold that very dear to my heart. And there was something called “enemy imaging.” And that we actually found some pride in our country of looking at enemies in the world. And then post-Cold War, we had to find new enemies. There’s terrorists and terrorist organizations that filled that role. But China seems to also be filling that role at a federal level. We have a number of conversations about China. It’s interesting to me to see this trickle down at the state level. The letter that these two state legislators sent to the governor mentioned China specifically as a threat to our security and because of the kind of government that they have and, and the relationship between ByteDance, which owns TikTok, and the Chinese government. It’s just interesting to see that state-level legislators are looking at that as a potential threat at the state level.

Bob: So would these kinds of inquiries, these kinds of letters and legislation be coming up. TikTok wasn’t owned by a Chinese company, do you think?

Ken Rogerson: Oh, that’s such a good question. I actually am not quite sure of the answer to that, but I don’t think so. I’m not a foreign policy specialist, but certainly you can’t not pay attention to it if you’re interested in technology policy. There is a connection between Chinese companies and the Chinese federal-level government. Um, there have been a number of indicators over the past few years through, through stated policies and through small programs … I remember even five or six years ago, there was a little small order from the Chinese government that all games on phones had to register with the government. And so if you downloaded a game – Angry Birds, for example – you had to register that use with the government. And so, so there is some fear that the connection between the federal-level Chinese government and the public-sector companies who create things for phones is a little tighter than it is in other places.

At the same time, we see some companies there pushing back a little bit and negotiating a little more freedom so that they can make money. I mean, it’s a profit-based industry for sure, and, and the Chinese government wants to encourage that kind of capitalistic enterprise in its own way.

Bob: So TikTok is ragingly popular, particularly with young people, and there’s been a lot of stated public concerns that the Chinese government could use ByteDance… the data that TikTok collects in order to build this massive surveillance database of US citizens. Whatever one might think of that fear would an executive order or legislation like this, do you think that would really stop it or help with that concern? Is it effective?

Ken Rogerson: Is it effective? Another great question, Bob. Probably not. I’m a little .. concern isn’t the right word … I’m watching with bated breath to see if this particular type of conversation about TikTok itself can push us into a wider conversation about some regulation and potentially consumer-empowering regulation that gives us more leverage to control our own data. We can do that in the United States, but if something happens to us, what we don’t have is resources to go protect ourselves against either governments or big companies who have much greater resources than individuals do. So, no, I’m not sure that banning TikTok from government-distributed devices really will change anything. Because as you said, young people will still use TikTok and will still access TikTok.

Now, for the most part, young people are also not going to have access to national security information, either directly or maybe through some vulnerability that will allow really good hackers to get where they need to go.

So there is a piece of that, that is probably good from a government — whether state or federal level standpoint — to say we want to protect ourselves because our devices could potentially lead to some kind of problematic intervention into our data. But, I don’t see it at all for youth using it to share, you know, quick, quick videos of food.

Bob: Now, on the other hand, when I, I read what you said to the local media in North Carolina, it made me think, well, this conversation is certainly welcome. It’s high time somebody drew a bright line around something when it comes to gathering data, right?

Ken Rogerson: Oh yeah, for sure. Again, I’m not sad about the conversation that this is encouraging among policymakers, especially. I think there are a lot of privacy advocates out there who are trying to make their voices heard, and there’s actually privacy legislation at the federal level … serious privacy legislation that some people looking at and saying, ‘Oh, maybe something can happen here.’ For some it doesn’t go far enough. For some people it goes farther than it’s gone in the past. And so, so this is great to contribute to the conversation, but I think your earlier point is very well taken, which is what will it really do for those who are arguing that TikTok is a national security risk?

Well, I think that it could help in a really minimal sense, a small percentage sense for a few devices and a few people, but I don’t think it helps for those reasons. But let’s con continue to have this conversation and widen it to other kinds of platforms, other kinds of information-sharing platforms as well.

Bob: If it’s good enough to ban TikTok, maybe it’s good enough to ban other kinds of technologies as well?

Ken Rogerson: or the opposite way, right? That seems a little draconian to me to say that this is only about banning platforms who aren’t doing a good job with their data. And we can look at it from another direction as well, that we can create policy that makes personal information privacy collection-sharing much more transparent and much more user-controlled or, have some kind of oversight mechanism for people to be able to bring difficult situations to a third party to say, ‘You used my data in incorrect way.’ There needs to be some kind of penalty or punishment here.

 

 

 

Survey: Ransomware attacks impact patient outcomes at half of healthcare facilities

The purpose of this research is to provide an update to the industry’s first study on the impact of ransomware on patient safety, titled The Impact of Ransomware on Healthcare During COVID-19 and Beyond, September 2021. That seminal study qualitatively demonstrated a correlation between ransomware and various impacts to patient care, including increased patient transfers/diversions, delays in procedures and tests, increased complications from medical procedures, and higher mortality rates. This updated study, according to survey respondents, shows ransomware continues to impact patient care, and seeks to understand how cybersecurity peer benchmarking can help healthcare organizations strengthen their cybersecurity posture to help reduce the risk of a ransomware attack and its potential impact on patient care.

Ponemon Institute and Censinet will present the details of the independent research report in an upcoming webinar, “The Impact of Ransomware on Patient Safety and the Value of Cybersecurity Benchmarking.” It will be presented live on January 24 at 12:00 PM ET and features myself and and Ed Gaudet.

As shown in the 2021 study sponsored by Censinet, 61 percent of respondents were not confident, or had no confidence, in their ability to mitigate the risks of ransomware. In this year’s study, also sponsored by Censinet, more organizations experienced a ransomware attack and an increasing number of these attacks are caused by poor cybersecurity controls internally and at third-party vendors and products. In addition to the impact of ransomware on patient safety, this study explores the importance of cybersecurity peer benchmarking and third party risk management to reduce cyber threats such as ransomware.

Our findings indicate that Hospital IT/Security personnel continue to believe ransomware has a broad and adverse impact on patient care. With ransomware growing exponentially and most organizations under constant threat, this report also explores how peer benchmarking improves an HDO’s cybersecurity program effectiveness, including its decision-making, hiring, and resource allocation.”

The two-year trend in ransomware attacks

This research is unique because it tracks how healthcare organizations and patient care have been impacted by ransomware attacks since 2021. The following findings demonstrate that ransomware continues to be a growing problem for the industry.

  • Ransomware attacks are on the rise. Almost half of respondents (47 percent) say their organizations experienced a ransomware attack in the past two years, an increase from 43 percent in 2021. In the past two years, 93 percent of these respondents experienced at least one (65 percent) or between two and five ransomware attacks (28 percent).
  • Third-party ransomware attacks have increased significantly. Of the 47 percent of respondents who reported a ransomware attack, 46 percent say it was caused by a third party, an increase from 36 percent in 2021. This finding indicates the importance of having policies and practices in place to proactively assess third party risk, remediate identified security gaps, and quickly respond to and recover from a third party-driven ransomware attack.
  • More organizations are paying ransomware. Sixty-seven percent of respondents, an increase from 60 percent, say their organizations are paying ransom. The average ransom payment has increased from $282,675 to $352,541 in the past two years. The average duration of disruptions caused by ransomware attacks has not improved and can last more than one month (35 days). 
  • More patients are adversely affected by ransomware attacks. Fifty-three percent of respondents in organizations that had a ransomware attack say it resulted in a disruption in patient care. Complications from medical procedures due to ransomware attacks increased significantly from 36 percent of respondents to 45 percent of respondents. The most prevalent impact was an increase in patients transferred or diverted to other facilities from 65 percent of respondents last year to 70 percent of respondents this year. In addition, 21 percent of respondents say ransomware has an adverse impact on patient mortality rates. 
  • Business continuity plans are increasingly the most important step to preparing for a ransomware attack. Sixty percent of respondents say their organizations have a business continuity plan that includes a planned system outage in the event of a ransomware attack, an increase from 54 percent of respondents. Also, 33 percent of respondents say their organization is increasing funds to deal with a potential ransomware attack, an increase from 23 percent in the previous study. 

 

Benchmarking the effectiveness of cybersecurity programs is considered important and valuable.

 As ransomware attacks increase, an effective cybersecurity program is critical. According to the findings, respondents agree that peer benchmarking is both valuable and important.

  • Benchmarking is very valuable in demonstrating cybersecurity program effectiveness, according to 78 percent of respondents. Benchmarking is also valuable when demonstrating cybersecurity framework coverage/compliance (61 percent of respondents) and improving cybersecurity programs (52 percent of respondents). 
  • Benchmarking improves cybersecurity program decision making. Another important value of benchmarking is to make better, data-driven decisions (53 percent of respondents) followed by the ability to demonstrate effectiveness of benchmarking program investments (48 percent of respondents). 
  • Benchmarking is important to making the business case for hiring cyber staff and purchasing technologies, according to 69 percent and 60 percent of respondents respectively. Fifty-seven percent of respondents say benchmarking is valuable when making investment decisions in the cybersecurity program. 
  • Benchmarking is important when establishing cybersecurity program goals, according to 67 percent of respondents. These metrics are also helpful in responding to and recovering from ransomware attacks, according to 51 percent of respondents

“The findings in this year’s Ponemon report are, unfortunately, not surprising as ransomware continues to shut down hospital operations and disrupt care at an alarming rate,” said Ed Gaudet, CEO and Founder of Censinet. “With patient safety in jeopardy and ‘asymmetric warfare’ no longer hyperbole to describe the situation, this report highlights the continued threats while introducing new approaches to creating rigorous, robust, and continuous cyber programs that protect patients.”

To read the entire report, visit Censinet’s website

With SBF arrest, is crypto having a Lehman Brothers moment or a Bernie Madoff moment?

Bob Sullivan

No one knows when an investment bubble will burst, but in retrospect, there’s often a single event that comes to symbolize the beginning of the end — as the Lehman Brothers implosion is now forever intertwined with the collapse of the housing bubble and the Great Recession.  It’s understandable that many see the recent collapse of cryptocurrency exchange FTX — and the ripple effects from that news — as the beginning of the end for a cryptocurrency bubble, and perhaps for cryptocurrency itself.  Or perhaps it’s just the end of the beginning?

I recently hosted a discussion with several crypto experts at my regular “In Conversation” column I publish with Duke University. You can read the entire threaded dialog at the In Conversation page, but I’ll give you highlights here:

From Lee Reiners, a Duke professor who formerly worked at the New York Fed:

“One can only hope that it is the end and we all move on to more productive things. Imagine how much better the world would be if all the money and human capital that has flooded into cryptocurrency over the past decade had instead gone into addressing climate change or curing cancer? But the allure of quick and easy riches is hard to resist for many people.

“As much as I wish it were so, I do not believe this is the “end” of crypto. … I see the industry increasingly embracing DeFi, or decentralized finance. DeFi represents traditional financial services offered on the blockchain without the need for any third-party intermediaries, all made possible by smart contracts. DeFi is particularly problematic from a regulatory standpoint, as regulation traditionally applies to legal entities. Who is responsible for compliance when the service is provided by open-source software?

“DeFi, and crypto more generally, are destined for the ash heap of history because they provide no genuine economic utility. But I do not believe it will be a swift death. At this point, crypto has taken on religious elements and there will always be a core group of true believers, no matter what happens. But as time passes and people realize crypto’s killer use case will never come, most people will move on to other things and twenty years from now, we’ll share a drink and remark: “remember when crypto was a thing, those were wild times.” Until then, good people must actively resist the crypto-con so that innocent people are not taken advantage of, national security is not undermined, and financial stability is maintained. It won’t be easy, but it is necessary.

From Shane Stansbury, Duke professor and former federal prosecutor with the SDNY

“It has been difficult to watch the celebrity marketing blitz in this industry over these last couple of years with the sinking feeling that the day would come when many average folks would lose their shirts (or, quite literally, their life savings).

“Will the likes of LeBron James and Tom Brady think twice in the future before placing their reputations on a product like this? I like to think so (and surely Taylor Swift is relieved that she passed on the opportunity).

“With all due respect to fans of Kim Kardashian, enforcement actions can serve as important deterrents. Although investor lawsuits can be an uphill climb (in part because of the difficulty of linking one’s loss to specific endorsements), the SEC did reach a $1.2 million settlement with Kardashian for failure to make proper disclosures when touting a crypto asset on her Instagram feed. Regardless of your net worth, that’s real money and few celebrities want to find themselves entangled in regulatory actions or, even worse, getting a knock on the door by criminal investigators. There are easier ways to make a buck, and none of this can be good for one’s brand.

“Like Lee, I don’t think crypto is going away anytime soon, at least absent some other major developments (always a possibility in this space). As bad as the SBF/FTX debacle was, it was no Lehman Brothers, in part because the scale and global financial impact are different by orders of magnitude. Most of the victims were institutional investors, and their losses, however painful, did not send shockwaves through the larger financial system. That matters for purposes of the level of accountability that the public will demand.”

Read the entire thread at this link