Sunday, December 30, 2018

CIS Controls: A Cybersecurity Blueprint to Prevent Cyber Attacks

CIS Controls for Cyber Defense

Data breaches arguably constitute the gravest risk modern businesses face. According to an alarming report from the insurance company Hiscox, 70 percent of organizations are inadequately prepared for cyberattacks. This is particularly concerning in light of the multi-million, even billion dollar damages that can result from breaches. Already, far too many businesses have suffered devastating attacks; 45 percent of Hiscox's poll respondents admitted to suffering at least one cyberattack in the past year, with many suffering two or more attacks.

At the small to midsize business level, cyberattacks aren't merely annoying — they can spell certain doom for those already struggling to get by. Hence the need for robust security protocol. That's exactly what the Center for Internet Security provides with its Top 20 list of Critical Security Controls. While these controls have been in the making for well over a decade, they've recently gained greater prominence at the federal and state level — and among private entities. Below, we offer an in-depth overview of this critical security tool, as well as suggestions for implementation:

What Are the CIS Top 20 Critical Security Controls?

The Center for Internet Security maintains detailed guidelines outlining prioritized actions known as critical security controls (CSCs). The goal is to proactively and effectively address security threats, thereby minimizing the potential for future data breaches. While any organization can benefit from implementing these controls, they are particularly valuable for those that currently lack robust security protocol. The CSC provide an accessible means of implementing security features while paving the path to a fully-fleshed compliance framework.

A Brief History of the CIS Top 20 CSC

NSA

Before diving in to explore specific controls, it helps to gain a broader understanding of how they came to be. They were initially developed in response to a 2008 request from the Office of the Secretary of Defense, in which assistance was sought from the National Security Agency. At the time, the NSA best understood the nature of cyber attacks — and how to combat them. Then, the White House maintained the following cybersecurity mantra: "Offense must inform defense."

By the time the aforementioned request was made of the NSA, the agency had already compiled and refined a list of effective security controls dating back to the early 2000s. These controls were originally prompted by military requests. While the initial list was limited to official use, the NSA eventually agreed to share its compiled cybersecurity information in hopes of helping other government agencies improve their security protocol. 

Upon validation by the U.S. State Department, the CIS Top 20 was found to align closely with thousands of documented attacks suffered at the federal level. In an effort to address significant security weaknesses, the State Department made integration of the CIS standards a clear priority. The effort was an undeniable success; the State Department achieved an impressive 88 percent reduction in risk across tens of thousands of systems. As a result, the CIS standards quickly became the blueprint of choice not only for other federal organizations, but also in the private sector.

Today, the CIS Top 20 controls are maintained and updated by a vast team of volunteers, including experts from every segment of the cyber ecosystem. Expert volunteers include auditors, threat analysts, policy-makers, users, and more. They come from a wide array of sectors, including everything from transportation to defense. Their feedback ensures that the controls remain not only effective for protecting against a range of security threats, but also accessible, scalable, and easy to implement for a broad spectrum of businesses and organizations.

Defining the Basic Controls (Top 6)

Basic CIS Controls (click to enlarge)

Basic CIS Controls (click to enlarge)

The first six controls outlined by the CIS are often referred to as the 'basic controls.' While all of the outlined controls in the Top 20 are valuable, the basic CIS controls would ideally be implemented by all organizations seeking to ready themselves for future cyber attacks. Basic controls include the following:

#1 Inventory of Authorized and Unauthorized Hardware

It is imperative that organizations track all network devices — without a detailed inventory, it is virtually impossible to provide adequate protection. Successful application of the CIS first control is the foundation on which all other CIS controls rely. Putting this control into practice means identifying all relevant devices and maintaining a current inventory. This can be a huge undertaking; experts at CIS recommend using active scanning tools and other automated procedures.

#2 Inventory of Authorized and Unauthorized Software 

This control references the need for active management of all network software to ensure that only authorized software is installed — and to quickly detect and deal with any unauthorized software that finds its way into managed networks. Cybercriminals regard organizations with vulnerable software as easy targets. Organizations that identify all existing software and develop approved whitelists improve visibility and may even see considerable savings as they discard unnecessary programs.

#3 Continuous Vulnerability Management

From software updates and patches to threat bulletins, ample opportunities exist for attackers to take advantage of new vulnerabilities — even among systems initially designed to be secure. As new vulnerabilities are reported, would-be attackers race to exploit these gaps. Without continuous scanning, organizations risk falling behind — a huge threat given the common knowledge that time is of the essence in the event of an attack.

#4 Controlled Use of Administrative Privileges

Attackers commonly rely on administrative privileges to carry out harmful actions within targeted enterprises. While most employees are aware of such efforts, even notoriously vigilant individuals can fall victim to scams. Common examples include opening files from malicious sites, downloading problematic attachments, or even merely visiting websites capable of exploiting users. One of the easiest to implement — and yet most effective — controls available, this step involves separating administrative accounts from personal internet activity. Additionally, systems should be configured for log entries and alerts.

#5 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 

Accessibility often plays a key role in modern software adoption — sometimes to the detriment of security. Default accounts and open services can leave organizations and their key players vulnerable. Hence, the need for this basic control, which is especially important in an increasingly BYOD (bring your own device) oriented workplace. Rigorous configuration management is essential if organizations are to keep attackers at bay.

#6 Maintenance, Monitoring, and Analysis of Audit Logs

While the cliche 'an ounce of prevention is worth a pound of cure' certainly applies to modern cybersecurity efforts, it's foolish to assume that breaches will never occur. Unfortunately, even organizations with exceptional security protocol sometimes fall victim to cyberattacks. When the worst-case scenario arrives, it's important to be prepared — not only in the interest of responding quickly and effectively, but also because a detailed understanding of one attack could potentially lead to new protocol to prevent future issues.

Foundational and Organizational CIS Controls (click to enlarge)

Foundational and Organizational CIS Controls (click to enlarge)

Foundational and Organizational Controls

The other control categories include foundational controls and organizational controls. These areas can help enterprises shore up their security after they have mastered the basic controls. Without mastery of the basics, however, these additional controls are not likely to serve as a viable security solution. Controls referred to as foundational or organizational include:

Foundational CIS Controls

7. Email and Web Browser Protections

8. Malware Defenses

9. Limitation and Control of Network Ports, Protocols, and Services

10. Data Recovery Capabilities

11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

12. Boundary Defenses

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

16. Account Monitoring and Control

Organizational CIS Controls

17. Implement a Security Awareness and Training Program

18. Application Security Software

19. Incident Response and Management

20. Penetration Tests and Red Team Exercises

While there is clear value in all of the controls included on the Top 20 list, not all controls will prove accessible or applicable in all situations. Nearly all organizations, however, can benefit from implementing the controls identified as 'basic' by the CIS. 

Comparing CIS to Other Frameworks

The CIS Top 20 is just one of several security frameworks relied upon by government and private enterprises alike. Other top framework providers include National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) Security Standards Council. While these hold clear value, they can be difficult for small businesses to adopt. The CIS Top 20 serves as an essential stepping stone for those who may feel intimidated by other frameworks or otherwise incapable of implementing them. CIS controls can also be used alongside other frameworks; some companies even use CIS standards to prioritize alternate frameworks.

Mandating Controls

Presently, the CIS Top 20 serves as a standard of care for the state of California, where the Attorney General has partnered with CIS to help local businesses follow the protocol outlined in the state's Data Breach Report

California Data Privacy and CIS Controls

While CIS became a key California framework in early 2016, recent changes in the state's privacy laws have further underscored the importance of adopting CIS controls. Signed into law in 2018 and expected to go into effect in 2020, the California Consumer Privacy Act now supplements the state's data breach legislation, granting consumers the right to sue if breaches of data occur and businesses do not provide appropriate protection via 'reasonable' procedures. While the state fails to adequately define 'reasonable' in the context of the Consumer Privacy Act, it is clear based on previous efforts with the CIS that implementation of, at minimum, the basic six CSCs is expected.

While California has clearly set the bar high in terms of mandated internet security protocol, other state and local government entities are beginning to follow suit with similar legislation. Michigan, in particular, has made great strides in terms of encouraging implementation of prominent security frameworks. The 2018 Performance Audit Report from the Michigan Office of the Auditor General referenced NIST Special Publication 800-53 as the bare minimum regarding security controls. 

In Ohio, the CIS controls are highlighted as one of a few available frameworks with which business cybersecurity practices would ideally conform. While the Ohio Attorney General maintains that the state's recent adoption of the Data Protection Act does not serve as a minimum cybersecurity standard, it does create a valuable incentive for the local business community to amp up security efforts.

In some states, CIS controls are not yet mandated — but they are used heavily by government entities. Success at this level may eventually lead to broader mandates for government organizations and private businesses alike. As CIS experts point out, top users of the CSCs include the states of Arizona, Colorado, and Idaho. In addition to making its mark at the state level, the CIS controls are increasingly utilized in major metropolitan areas, including Oklahoma City, San Diego, and Portland, among others. 

Success Stories

The Center for Internet Security offers numerous case studies that demonstrate the ability of various controls to protect against a broad range of security threats. For example, CIS highlights a top banking institution as relying on these controls for gap analysis. The banking institution's Chief Information Security Officer explains, "If we are not quite meeting the intent of a particular CIS Control, we can identify areas to focus on and improve." This valuable baseline has allowed the bank to maintain its status as one of the nation's most secure financial institutions.

While the value of the CIS controls is clear in banking and finance, many retailers have yet to adopt appropriate security measures to protect their customers and suppliers. One outdoor retailer, however, is leading the way by engaging in CIS analysis not just once, but twice every year. While the retailer also uses such familiar frameworks as NIST and PCI, a top security analyst for the company explains that the CIS controls provide, by far, the biggest bang for the buck by assisting in prioritization of other frameworks. "We see the real value is in the CIS controls because they are more user-friendly and are a practical, prioritized framework."

In another case study, CIS reveals that Corden Pharma has adopted the CSCs in hopes of meeting diverse security requirements for the company's range of customers. Manager of IT and Business Systems John Nord explains, "[Corden Pharma] needed a more standardized security program for our company to be able to provide to our customers. The CIS controls fit that need." Nord adds that, while initially daunting, implementation for the CSCs is not nearly as arduous as NIST framework adoption can be.

What Lies Ahead for the CIS Controls?

The CIS Top 20 are constantly evolving as new threats arise — and as new technologies become available for keeping these threats at bay. In early 2018, CIS released Version 7, which, as CIS executive Tony Sager explains, "sets the stage for future improvements in measurement, implementation, and alignment with other security frameworks." 

Although pleased thus far with the rollout of Version 7, companies are already looking ahead to Version 8. With new editions of the CSC released approximately once every three years, Version 8 can most likely be expected in 2021 or 2022. Until then, experts anticipate that states and municipalities will continue to follow California's lead in prioritizing these security measures and working closely with CIS to ensure the adoption of robust cybersecurity controls.

Next Steps for Adopting CIS Controls

Regardless of how the CIS controls evolve in the future, it is important to get a handle on security protocol today. The widely trusted security controls from the CIS can provide a valuable blueprint. Not sure where to start? Alpine Security's Enterprise Security Audit (ESA) service provides valuable insight into your organization's current security protocol. Closely aligned with the CIS Top 20, this comprehensive assessment offers a holistic approach involving effective controls for cyber defense. Reach out today to discover how Alpine Security can assist your organization in adopting and abiding by the Center for Internet Security's Top 20 Controls.

Friday, December 28, 2018

The Greatness of Being Uncomfortable

Step outside comfort zone

There is no denying that most people in this world want to avoid feeling uncomfortable as much as possible. The problem with this mindset is that those who fear discomfort and uncertainty are always going to be stuck in the same place. The best way to fail to succeed is to stay in one place for relative comfort.

Fear of failure ruins our lives

If you think about it, you will come to the conclusion that our biggest fear is not failure itself. What we truly fear is that other people will see us fail. This is a very common problem and it has no logic behind it. When you fail, you feel like others are going to ridicule you or laugh at you, but no one ever laughs at failure, they may feel bad for you, but they fear failure more than you do, they are completely frozen by fear and they never even try anything new because they would rather stay in their comfort zone.

Just imagine how ridiculous it would be for you to give up your goals and dreams because you are afraid of what others will say if you fail. The simple thought of this makes you cringe and it should be more than enough to motivate you to take action.

Good things will never happen to you

People are usually expecting god things to happen to them in life. They say “I’m a good person, I deserve good things, I know things will change” but the problem is that they are just standing on the road of life, while others are standing there with them waiting for good things to come to them. This is a huge problem for many people because they feel entitled to happiness and to success just because they are nice, or because they are honest and decent. Those are not qualities and virtues that give you a free pass to success. The sad truth is that no one has ever achieved success in life by thinking this way.

Imagine that you are standing on the road and you see a pot of gold a few miles away, but there are traps and pits all the way through. You are going to be waiting forever if you expect someone else to carry that gold to your location. Anyone that reaches that gold is going to keep it for themselves. They would be willing to share if you also walked towards that gold and took your chances with those traps.

The exact same thing happens with everything we want in life. If we don’t start heading in the direction of what we want, there is always going to be someone else willing to take the risk. The point here is that anything you want in like is going to require that you move forward and step out of your comfort zone.

Adding value to your journey

The greatest thing a person can do in life is to add value in their journey to the goals they set for themselves. If your goals include being a competitive and highly valuable asset to any modern business, you will find that cybersecurity training is going to be essential for that purpose. We have classes with official certifications in cybersecurity that will add thousands of dollars of value to your paychecks.

Step out of your comfort zone and invest in your future. Take action and move forward on the road to your dreams. Find out how to enroll in our awesome courses to add massive value to your journey to success!

Wednesday, December 26, 2018

Cyber Extortion: Ransomware vs Extortionware

Cyber Extortion - Ransomware vs Extortionware

Cyber crime is not just the plotline of bad TV movies. It's a $600 billion global business that accounts for 0.8% of the world's GDP. Anyone on the internet - and there are 3.2 billion of us - is a potential victim.

While phishing scams and identity theft are old news, the more serious threats to organizations are ransomware and extortionware. In fact at Europol's 2018 Internet Organized Crime Threat Assessment, the European crime prevention agency stated, "In a few short years, ransomware has become a staple attack tool for cybercriminals, rapidly accommodating aspects common to other successful malware such as affiliate programs and as-a-service business models." 

Ransomware's sister threats are a different form of cyber crime called cyber blackmail or cyber extortion. Blackmail doesn't necessarily involve sophisticated technology. But ransomware and cyber extortion typically do. While these two types of malware share common themes, they also differ in key respects. What's the difference between ransomware and extortionware? And what can you do to prevent your company from becoming a victim of cyber crime?

What is ransomware?

Ransomware - Bad Rabbit Example

Ransomware - Bad Rabbit Example

Ransomware is a type of malware that locks a computer system down until the victim pays the extortioner for the key code to unlock the device. It's an obvious form of cyber crime. While some internet criminals try to fly below the surface, stealing data without you realizing it, ransomware is overt. The hacker is telling you in plain language, "We've encrypted your system. The key is in our lockbox. If you want your data or computer to work again, you'll pay us." Usually, the victim has to pay in Bitcoin or through another hard-to-trace method. 

It's the most common form of cybercrime and perhaps the most effective. Who wouldn't pay a few hundred dollars to a criminal instead of a few thousand to a break-fix IT service, which might not be able to unlock the system anyway? The trouble is, there's nothing to stop the criminal from coming back again ... and again. Ransomware can cost a lot more than the initial payment; it also costs time, productivity, and reputation.

Examples of ransomware

The first ransomware appeared in 1989. Hackers mailed floppy disks (remember those?) to unsuspecting victims who inadvertently installed the malware on their computers. To get the key, the victim had to mail either $189 or $378 to Panama. Today's cyber criminals operate a similar racket but with greater technical prowess. The WannaCry ransomware attack in 2017, which was linked to the North Korean government, infected about 200,000 computers in 150 countries. 

Bad Rabbit was a ransomware that affected European and Russian users. Unlike WannaCry, which spread randomly, Bad Rabbit targeted its victims, which included the Odessa airport and Kiev's mass transit system.

A relatively new and irritating form of ransomware is called "police-themed demands." In this, the criminals claim to be the police who are shutting down your computer due to its use in a terrorist act or a child pornography ring. By paying a few hundred dollars in fines, the "police" claim, you can unlock your computer. Of course, the whole thing is bogus, and you're the victim of ransomware.


“FBI” Extortionware Example (click to enlarge)

“FBI” Extortionware Example (click to enlarge)

What is cyber extortion?

Extortion is simply demanding a good, service, or payment to prevent violence or destruction of property. Some cyber criminals get ahead of the competition by demanding money before they hurt you. Much like the mobsters of yore who wanted payment for "security services," these cyber extortionists basically tell you to pay them or they will lock up your system. According to Insureon, "Cyber extortionists may threaten to harm you, your reputation, or your property if you do not comply with their demands. Cyber extortion can take many forms." For instance, a hacker may send malicious traffic using a bot, overwhelm the site with more requests than it can handle, or simply shut it down. 

What is cyber blackmail?

Blackmailers employ the psychology of fear and shame to motivate victims. In these cases, the cyber criminal will claim that he's been inside your computer, snapped screenshots of embarrassing photos or searches, and recorded sketchy video using your camera. He will threaten to send the screenshots and pics to everyone in your address book or post them on social media unless you pay up. It's basically cyber blackmail.

"Cyber-blackmail is the act of threatening to share information about a person to the public, their friends or family, unless a demand is met or money is paid," according to the BBC. It is a particularly insidious kind of crime. In fact, some hackers are even targeting children.

Cyber blackmail doesn't only affect individuals, but it also harms companies. Hackers claim they have stolen sensitive data from a company's storage and threaten to expose it unless paid off. Many times, the hacker has no evidence at all and is simply bluffing. The really dangerous part is that emails from hackers often reveal they have secured your password, and while that may be all they have, it's often enough to do some serious damage.

Cyber Extortion Example (click to enlarge)

Cyber Extortion Example (click to enlarge)

Am I a victim of ransomware, extortionware, or cyber blackmail?

Because these are forthright kinds of crime, you'll likely know if you're a victim. The hackers will tell you when they demand the ransom, threaten you for money, or want blackmail payoff. One handy way to assess the credibility of an extortion scheme or blackmail threat is at HaveIBeenPwned. This site lets you see what breaches your email address has been associated with, so you can determine if the password that is supposedly compromised and used for the cyber extortion is simply from a previous breach or if the hacker really has broken through your security system. 

In no case should you pay off a cybercriminal even if you think they have something on you. A qualified managed services provider or IT professional can help protect you against ransomware and can reverse most of it easily. Cyber blackmailers almost never have the goods on you they say they have, and extortionists are probably no match for your IT managed service provider or cybersecurity squad. Report cybercriminals to the police. Your company doesn't need to be a victim.

How penetration testing and training can prevent cyber crime

At Alpine Security, our penetration testing services and training can help prevent both ransomware and extortionware. We can also help you know what to do if a hacker uses ransomware to lock down your system. Penetration testing can help identify gaps in systems and networks, and our user awareness training, including our phishing services, can identify gaps in user training. To learn more about protecting your organization from ransomware and cyber extortion, contact us today. 

Saturday, December 22, 2018

The Ultimate Guide to Cyber Threat Maps

Cyber threat map

A cyber threat map, also known as a cyber attack map, is a real-time map of the computer security attacks that are going on at any given time. One of the most famous was released by the company Norse and went so viral, even among non-hackers, that it got its own story in Newsweek in 2015.    

The map itself looks like a global game of laser tag. Beams of light, represented by different colors, shoot across a darkened screen showing where an attack comes from and where it is going. When it first caught the public eye, captivated audiences watched hackers wage cyber-war across hundreds and thousands of miles. 

How Does A Cyber Threat Map Work?

If cyber attacks are sneaky mice – or, more appropriately, giant rats – then cyber attack maps work like the mousetrap. 

Norse, for example, maintained a global threat intelligence network of more than 8 million sensors and “honeypots” in 47 countries across the world. These tools impersonated thousands of applications and devices that are common targets of hackers. 

When a hacker hits a Norse sensor, the hacker believed that it had breached a system. Instead, Norse collected information about the hacker's toolkit, including his or her IP address. This information then manifested as data on the cyber attack map.

This model has continued past the demise of Norse to power live maps like Cyberthreat, ThreatCloud, and Fortinet. Some companies claim that these are real-time cyber attacks, but most are more like selections of recent attacks.

What Are They Good For?

First of all, anyone can look at a cyber threat map and understand something about current attacks. For laypeople, it might just be an understanding of how prevalent these attacks are. 

For pros, a cyber threat map can provide data that can lead to the discovery of a potential new attack. Even though these maps don't really show cyber attacks in real-time, they give you information, and a cybersecurity pro can never have too much of that.

The Best of the Best in Cyber Threat Maps

Not all cyber threat maps are created equal. Some are great eye candy for pen test companies, but others do offer good functionality. A few even let you manipulate the map to focus on its most useful information.

#1 Cyberthreat by Kaspersky Lab

Kaspersky's cyber threat map may be the best in the business in terms of interactivity and visual appeal. It's also mobile optimized so you can show it to clients or colleagues from anywhere. And if you want particular data, the site offers you the option to find it.

Narrowing It Down

Kaspersky's Cyberthreat also offers useful statistics about current cyber attacks.  Through its website, you can learn about:

  • Vulnerabilities identified 

  • Most widespread threats 

  • Botnet activity trends 

  • Prevalence of infected mail and spam

You can find this data for a specific country or look at it on a worldwide level. 

The Widget

Kaspersky Lab has figured out that cybersecurity professionals often use threat maps to visually represent their work to clients.  To make it easier, they have created a Cyberthreat map widget, which you can embed in your website, as shown below, so that clients can see a representation of the latest threats.

Fortinet Threat Map (click to enlarge)

Fortinet Threat Map (click to enlarge)

#2 Fortinet by Fortiguard

This one isn't quite as customizable as Cyberthreat, but it's informative enough to warrant runner-up honors. The main map color codes its attacks by severity to make it easier to focus on the most critical situations, coded in red. The details of these attacks scroll quickly along the bottom of the map, where the viewer can identify the threat type and location.

Fortiguard clients have a bit more freedom in terms of map design. By placing a tool known as the ThreatGate, users can monitor the threats approaching a particular location.

Check Point Threatcloud (click to enlarge)

Check Point Threatcloud (click to enlarge)

The Best of the Rest

In addition to Fortinet and Cyberthreat, there are a few other cyber attack maps that repeatedly appear on “Best of” lists. They are:

Each of these maps presents its data in a slightly different format and with a slightly different emphasis. Take a look, try them out, and find out which one will work best for you.


The Take-Away 

If you find these maps intriguing,  know that they're not enough to make you an expert. You'll need to learn more about cybersecurity and take some training, like the penetration testing courses available through Alpine Security.  There are tests available for all levels of pen testers – check it out today.  

Friday, December 21, 2018

Hacking Microdrones for Lethal Gain

Killing humans with drones

An assassin's most powerful new weapon could be resting on the shelf at your neighborhood Best Buy. 

Warfare is no longer about dumping thousands of men in a field and shooting at each other. Today, non-governmental forces are packing explosives onto commercially available drones and flying them over crowded areas. This past August, a dissident organization called Soldiers in T-Shirts attempted to assassinate Venezuelan President Nicolás Maduro using a drone. While this attempt was unsuccessful, it marked the first time -- but almost certainly not the last -- that a paramilitary organization tried to assassinate a sitting head of state with a drone.

As early as 2012, Business Insider was sounding an alarm about hacking microdrones for lethal gain. The magazine posited the question: What if mosquito-sized drones could deliver deadly viruses to targeted humans? 

It sounds like bioengineered- and- virological science fiction with a macabre twist. But as President Maduro can attest, we're not far away from it being a reality. Swarms of microdrones armed with viruses, poisons, or other technological weaponry could pose a serious threat to national security and human life in conflict zones. In January, 2018, Forbes magazine interviewed Randall Nichols, a professor of unmanned systems and cybersecurity at Kansas State University. "It is clear to me that increased global investments and research in advanced UAS cyber-related technologies are yielding clever, advanced offensive cyberweapons as payloads," Nichols said. "Combine this with investments and growth in automation capabilities and add ability/threat to use swarming and team efforts with multiple drones against U.S. targets, we have a potential Black Swan event."

The key to global power may rest on a fleet of technological objects the size of an insect but with extraordinary power for good or evil, depending upon whose hands it rests in.

Hacking microdrones

What is a microdrone?

Microdrones have no official specifications, but Wikipedia does a good job defining them. "A micro air vehicle (MAV), or micro aerial vehicle, is a class of miniature UAVs that has a size restriction and may be autonomous. Modern craft can be as small as 5 centimeters." That's smaller than a golf tee or about 3.5 times as long as an aspirin. Basically, these devices are just like the Tracker Jackers your kids read about in The Hunger Games. Only real.

Like the deadly jackers of fiction, microdrones actually emerged from the study of insects. Scientists at Stanford University and at the École Polytechnique Fédérale de Lausanne received funding from the Swiss government to make an electronic, human-controlled robotic wasp. Called the FlyCroTug, this microdrone was built to carry proportionally large and heavy items across long distances the way wasps carry home too-large prey in the wild. According to its write-up in Popular Mechanics, the FlyCroTug possesses three carrying features -- winches, gecko grippers, and microspines -- the same ones a wasp uses. These features give the FlyCroTug the ability to do more than fly around and observe. They also also the microdrone to walk, climb, grasp, and build.

How can microdrones be weaponized?

In 2008, the Air Force Research Laboratory began fashioning the world's first micro-sized killer robot. Larger drones may sometimes misidentify targets, cannot respond to a last-minute maneuver by a target, and can injure or kill nearby civilians so the Air Force decided to create something more focused. It came up with a wasp-sized microdrone that weighed less than one pound and could be controlled at a distance of up to three miles. It only took $1.75 million of American taxpayers' dollars to create. The Chinese military development technologists are working on similar technology.

Microdrones can carry far more weight than they appear able to, 40x as much. Plus, they can work together in swarms, which means a few dozen of them can carry the same virus, poison, or explosive to the same population, exponentially increasing the viability of their threat. Not only that, but they can also work together to accomplish tasks such as opening doors.

Perhaps most disturbing is the concept of hacking microdrones for lethal gain. In this scenario, a terrorist, rogue state actor, or wired-up teen techno-whiz in his mom's basement would not need to build his or her own insect-sized weapons. They could just turn ours against us. By hijacking our drones, outside forces gain control over powerful weaponry. As James O'Malley put it in his article in Engineering and Technology, "There are now thousands of devices out in the wild running insecure firmware. But instead of being used to attack cyberspace, they can be let loose on the physical world."

A microdrone's ability to target terrorist leaders and others who pose a threat to geopolitical security may prove worth the investment. The scary part, of course, is what happens when the other side can create the same technology -- and use it without concern for ethics or the safety of the larger population. 

Is the microdrone threat legit or make believe? 

Are deadly microdrones really something to fear or are they science fiction from the minds of popular techno-whizzes who've read too many Margaret Atwood novels? 

That depends on what you're talking about when you say "microdrone threat." If you are asking about swarms of self-controlled robots that make their own ethical decisions about who lives and dies in a dystopian society, then we're probably a long, long way from that. On the other hand, a microdrone in the hands of a non-state actor like Osama bin Laden or a powerful and unpredictable rogue state like North Korea could wage acts of terror and destabilization on society.

Of course, microdrones carry enormous power for good, too. They could provide significant first-response aid to people experiencing natural catastrophes, potentially saving lives and property due to their ability to mobilize, move fast, and go into tiny spaces where human personnel cannot. On the other hand, credible scientists, academics, and public policy makers also express concern about what microdrones can do and the magnitude at which they can do it.

Both Elon Musk and the late Stephen Hawking called for a ban on developing autonomous weapons, and they specifically mentioned "armed quadcopters." The Future of Life Institute, a Musk-backed think tank, published UC-Berkley professor Stuart Russel's movie Slaughterbots, which showed the power of an army of micro-sized robots could have against humans. The movie was shown at the United Nations Convention on Conventional Weapons in Geneva in 2017, too.

According to a March 2018 article from the National Academies of Sciences, Engineering, and Medicine, "The emergence of inexpensive small unmanned aircraft systems (sUASs) that operate without a human pilot, commonly known as drones, has led to adversarial groups threatening deployed U.S. forces, especially infantry units. Although the U.S. Army and the U.S. Department of Defense (DOD) are developing tactics and systems to counter single sUASs, a new report by the National Academies of Sciences, Engineering, and Medicine emphasizes the need for developing countermeasures against multiple sUASs -- organized in coordinated groups, swarms, and collaborative groups -- which could be used much sooner than the Army anticipates."

Clearly, serious people take the microdone threat as a genuine concern.

What is the magnitude of a lethal microdrone's potential damage?

In 2015, Israel was already selling a seven-pound drone that could carry a one-pound warhead. Tinier microdrones of the future could feasibly carry equally powerful explosives.

Much more threatening, perhaps, than bombs -- which amount to little more than ultra-sophisticated TNT, after all -- are diseases. Could a swarm of microdrones infect a city with dengue fever, which might not prove fatal but could certainly cause chaos and damage, or even something worse such as plague? Entire cities could potentially be at risk.

By combining the delivery power of a drone with the specificity of a virus, bad actors could expose select targets to a disease specifically designed to attack their genetic makeup. For instance, if a terrorist wanted to kill the U.S. president, he would need only the president's DNA map, a trained virologist, a microdrone, and a copy of the president's schedule to do it.

The stuff of futuristic political thriller shows on Netflix? Maybe. Or quite possibly a reality that nation-states will increasingly need to guard against. 

How much does a microdrone cost to buy or make?

Small size drones are typically cheaper than their older and larger counterparts. NewEgg says you can buy a Micro Drone 3.0 kit, the quadcopter, gimbal, transmitter, and Google Cardboard VR headset for $215. The replacement batteries cost $16, and the device is tough enough for a child to use. Many small drones go for between $20 and $150 on Amazon. Typically, these drones sell to kids and to beginning enthusiasts who want to fly them for fun around the neighborhood, not generally to notorious terrorists who want to assassinate Western politicians. Still, it was a very ordinary drone that Soldiers in T-Shirts used in its assassination attempt on Venezuelan President Maduro. 

And if you're a real DIY-er, you can even build your own microdrone if you want. YouTube and Google offer step-by-step tutorials for crafting a low-cost, fun-to-fly microdrone. For many hobbyists, building your own drone at home is a great way to save money. For terrorists, it's not yet a viable way to construct high-tech weaponry, but it soon could be. Remember that the 9/11 terrorists hijacked entire airliners with nothing more than boxcutters. Super technological skills are not required to build weapons of mass destruction.

In short, you can't buy a wasp-sized robot killer at Target or Best Buy. But could you buy what you need to make it happen? 

 Can you weaponize a microdrone yourself? 

Since microdrones are easy to come by, are they equally easy to weaponize? Is there a DIY way to make a killer robot at your kitchen table? How vulnerable are these devices to hacking? Can a teenage computer enthusiast take over one with his controller and direct it where he wants, hijacking it for his own use?

People have used drones for all kinds of nefarious purposes, from prison breaks to drug smuggling. Basically, you can weaponize anything. In 2013, Adam Piore described his drone weaponization journey in a humorous article for Popular Mechanics. "In this Wild West age of unregulated personal flight, even a rank amateur like myself can transform a toy into a hazard, an action that should be—and probably soon will be—illegal."

It is neither expensive nor complicated to build, weaponize, or hijack a microdrone. That isn't to say you can sit in your garage and craft a military-grade weapon with supplies from Target and a YouTube tutorial. You could, however, build a device that would do a lot of damage. And after all, does a terrorist need a military-grade weapon to assassinate a single target? Or to deliver a deadly, contagious virus to a few folks in a massive city?

While no one wants to sound alarmist at the threat microdrones may pose, the fact is that drone technology opens up the possibility of new kinds of warfare, terror, crime, and security. By blending cyber technology with physical activity, drones are a logical next step both for those who want to threaten others and those who want to protect them.

As part of our commitment to cybersecurity, Alpine Security offers extensive penetration testing services for companies and government agencies based on our deep experience testing medical devices, blockchain, aircraft, embedded systems, and complex systems. Our highly trained, certified, vetted, and experienced team uses a proven process and effective penetration testing methodology to provide clients with actionable, easy-to-understand reports. Contact us to learn more about how Alpine Security can help you protect the data, systems, and people you care about -- from data leaks to armed killer robots.

Friday, December 14, 2018

Hacking Humans with Nanotechnology

 Biomedical hacking with nanotechnology

Hacking humans with nanotechnology may sound like a concept from a futuristic science fiction novel or movie, but the truth is, it's not that far off and it could be the next big cyberthreat. If you thought data breaches involving your social security number or credit card information were scary, imagine the ramifications nanotechnology hacking.

What is Nanotechnology & Hacking Humans with Nanotechnology?

Technically speaking, nanotechnology is any technological endeavor that deals with anything with a dimension of less than 100 nanometers. That is very small. For comparison, there are 25,400,000 nanometers in just one inch. Much of this scientific and technological field focuses on working with atoms. While the concept was first brought to light in the late 1950s, it wasn't until the late 1980s that technology advanced enough to actually allow scientists to work in such a small field.

Nanotechnology has several applications. Food, technology, fuels, batteries, environmental causes, chemical sensors and even sporting goods have already benefited from nanotechnology, and will benefit even more in the future. However, the medical field is one of the most exciting for nanotechnology at the moment, though most developments are still in the experimental phase. With these developments comes the ever-present technological risk of hacking.

How is Nanotechnology Used in Humans?

In the future, nanotechnology will be used for incredible purposes. One possibility still being researched is building new muscle with carbon nanotubes. Scientists at IBM are also working on using nanotechnology to analyze DNA in just minutes (instead of weeks) to treat cancer patients with a customized treatment plan. Other medical technology experts are exploring using nanotechnology to send treatments like chemotherapy or vaccines to target specific types of cells in the body. Experimental nanosponges are being tested to absorb toxins in the body, and there are several different nanotechnology projects in experimental phases that seek to hyper target treatment to cancer cells. It is also being explored as an early diagnostic tool to detect cancers and infectious diseases long before our current technology is able. Some nanotechnology ideas include a tiny device that gets injected into the body as a sensor or medical delivery device. This all sounds positive, but there is a downside too.

Is Medical Technology Secure?

Now that we are entering a new era of medical nanotechnology, scientists need to make sure treatments are not only effective, but secure. Many experimental treatments are, after all, electronic medical devices, just on a smaller scale. These tiny devices are typically controlled by a program on a traditional electronic device like a computer, smartphone or server, meaning they could be very hackable. Some digital security experts posit that a single nanoparticle in the body with it's own processor could be hacked, but they also say that if someone had more than one particle in the body, which many treatments would require, a hacker could theoretically turn them into a network in the body, using the body's own systems to communicate and do their bidding. 

It might sound like nanotechnology hacking will happen far into the future, but some experts believe some experimental nanotechnology medical treatments will be in use in just two years. Additionally, medical technology already in use today has already been proven hackable. Johnson & Johnson advised users of one of its insulin pumps to not use the remote control feature of the device, and to make sure to set a maximum insulin dose in case of hacking. Recently, the FDA recalled 500,000 pacemakers due to the risk of hacking. In 2015, researchers were able to hack into and deactivate a pacemaker set up on a mannequin, proving these are much more than fears: they are an inevitable reality. 

One of the most obvious and dangerous applications for biomedical hacking is ransomware. Nowadays, if your computer gets infected with a ransomware virus, you may have to pay a fee via Bitcoin to get access back to your data. However, when it comes to biomedical hacking, the applications could be much more deadly. If a hacker took over your inner nanotechnology devices, they could demand a ransom with fatal consequences. If you're unable or unwilling to pay, they could easily turn your body against you and at the very least make you suffer or get sick, if not kill you. This type of attack is already having an effect on our medical systems. Recently, the famous Hollywood Presbyterian Medical Center was forced to pay around $17,000 in Bitcoin to regain access to all the data and systems in the hospital after a ransomware attack.

It may also be possible for unsavory characters to use nanotechnology itself against their enemies, not only in hacking attacks. One of the most exciting applications of nanotechnology is inhalable particulate powders developed to directly treat the lungs. These particles can work together to form an artificial cell to do a certain job. Some worry this technology could be an easily weaponized delivery method for bioterrorism efforts, beyond the hacking dangers. Getting infected with something could be as simple as breathing the air, taking a shower or getting a regular vaccination from your doctor. 

What Can Be Done to Mitigate Risk in Nanotechnology?

While hacking nanotechnology maliciously may be cause for concerns about security, the technology itself is already being used to fight bioterrorism. Magnetic nanoparticles can be used not only to detect and even remove harmful bacterial infections on food, but the same technology can be used to detect bioterrorist attacks of diseases like anthrax. 

However, the most powerful thing that needs to happen to lessen the risk of hacking with nanotechnology is legislation to regulate the types and strength of security required on nano medical devices, and even the function of devices that will be allowed. Much of the risk at the moment comes from the excitement and rush to get the most advanced technology to the table first, meaning thoughts of security may get left behind. 

Medical device manufacturers who wish to ensure that their devices are not likely to get hacked should do proper penetration testing. This type of testing exposes and evaluates the risk of hacking increase the safety of medical devices and the programs or applications that accompany them. It may be uncomfortable to expose the vulnerabilities in your medical products, but that is the first step towards fixing any vulnerabilities.

What Do We Call This?

There are several terms that you might think have to do with hacking medical and nanotechnology, but the truth is, we don't yet have a term for this specific set of actions and topics. Perhaps one will develop in the future as they become more prevalent in everyday medical use. For now we can use the terms nano-medical technology, nano-medical hacking and others that truly describe what it is until something else comes along.

Biohacking:  The term biohacking sounds like the perfect term to describe hacking medical technology, but it actually refers to "do-it-yourself biology." This is a self-improvement technique that uses diet, exercise and mental techniques to "hack" the body to improve mood, health and overall life satisfaction.

Neobiology: This term does get closer to the matter, but neobiology generally refers to any new advance in biological technology. Nanotechnology and medical device hacking would certainly fall under this umbrella, but the umbrella is very large. Other things like indoor farming, "designer" babies, and other modern biology topics would also apply. It has been used to refer to biological hacking, but mainly refers to anything modern and technological that also has to do with biology.

Internet of Things: Medical devices, including ones using nanotechnology, certainly fall under the internet of things. This means any device, medical or non, that is connected to the internet. It could be your coffee maker that you can set using a remote app or your digital assistant. However, the Internet of Things is also a broad term that, while it encompasses the medical technology we discuss here, doesn't specifically define it.

 Wannacry crippled many healthcare providers.

Wannacry crippled many healthcare providers.

How Real is the Risk?

While technologists have successfully revealed that several different medical devices currently on the market can be hacked, has there been a true case of medical device hacking? The answer at this point is not clear, but there has certainly been crippling hacks of medical centers, like the aforementioned Hollywood Presbyterian Medical Center attack. Additionally, 2017's extremely widespread Wannacry ransomware attack severely affected the UK's National Health Service, affecting their ability to provide care, and costing them a lot of money. It also allegedly affected some medical devices as well. However, it also affected networks and devices in all industries, including transportation, telecommunication and manufacturing on 200,000 machines in over 150 countries.

At this point, the risk seems to be mostly theoretical, though it is just a matter of time before black hat hackers pick up on what white hat hackers have been researching and trying to prevent. The other danger is that in one study, doctors implicitly seem to trust medical technology and are not able to recognize when a device has been hacked in a test. Hospitals are also known for not updating their products unless they do not work of have been officially recalled. One cyber security expert was appalled to find his own daughter had been hooked up to a device he knew was not secure, and had been recommended to be put out of use, while he went home to get her some pajamas. Some of these medical devices are even too old to fix with a patch to update any security flaws in the software. 

Some experts believe it is only a matter of time before something fatal happens involving the hacking of a medical device, and that only then will medical providers and legislators take this issue seriously.

How to Get Medical Devices Properly Tested

As mentioned before, penetration testing is one of the best ways to find vulnerabilities in medical devices and ensure that your products are as secure as possible. Alpine security offers a full-range of penetration testing, including in the medical field. Alpine guarantees the results on the test, and the team is highly experienced and certified. With remote and in-person testing options, it's easy to get your products tested to ensure you offer the best in security to clients and users. As nanotechnology becomes more prevalent, penetration testing in the medical field will become even more important due to the aforementioned risks associated with the powerful applications.

Certified CISO Training: What's In It For You?

 Certified CISO Training

It happens across industries, from refrigerator repair to software sales. You get good enough at your job, you get promoted to management and then become an executive. The field of information security is no exception.   

Maybe you've found yourself on this track. You've realized an aptitude for cybersecurity, maybe become a penetration tester, and are always advancing your knowledge of systems and their evolution. One day, someone asks you if you'd consider becoming a CISO –  a Chief Information Security Officer.

What Does a Certified CISO Do?

As you might assume from the title, a chief information security officer protects a company's data and that of its customers. Taking on this role means that you assume responsibility for identifying any security threats in your company's system. You develop strategies for mitigating those threats and work with the company's IT team to implement solutions.    

A company that hires you as a CISO will expect you to be proactive about keeping its systems and data secure and understand risk in relation to business. You may need to conduct system audits and you'll definitely need to be up to date with the latest developments in the field.

A CISO role is really understanding how cybersecurity ties into business goals and risk. It is not a technician role. Understanding business and how to communicate with C-Level executives and also with IT and Cybersecurity Managers is critical.

How's the Pay?

A certified information security officer is a well-compensated professional. Payscale estimates the current average salary for the role at $155,737. By the time you reach the later years of your career, the average has risen to $168,360.     

Very high-performing professionals in the field can earn more than double that. In 2016, a survey from cybersecurity staffing firm SilverBull placed the top of the average salary range at $421,000 for professionals in San Francisco. Meanwhile, similarly qualified professionals in New York were earning $406,000 in New York City.   

Information security leadership is also a rewarding career from a non-monetary perspective. According to Payscale, which has gathered a 5 out of 5 job satisfaction rating from CISO respondents, the role makes a professional feel productive, valued, and essential to client success.

The Qualifications

If you're a CISO, you almost certainly have at least a bachelor's degree in computer science, IT, or a similar field. Some companies also require a master's degree, depending on the company, and most demand that you have worked in IT security for at least seven if not 10 years.   

These kinds of requirements are in place because a company needs to know that you have an extensive knowledge of systems and programming. What is also required, and what companies tend to have a harder time verifying, is an in-depth familiarity with the business aspects of the tech world. You'll need to know how information security and risk affects a company on the administrative and financial levels, not just on the technical side.

Leadership Skills Matter

To succeed as a cybersecurity executive, you need to have the same soft skills that drive success for any business leader. You need to be able to: 

  1. Develop standard procedures and company-wide policies

  2. Understand applicable regulations and ensure compliance 

  3. Source and implement appropriate training 

  4. Create action plans for breach contingencies 

  5. Communicate your strategies to superiors and team members

You know that you have the capacity to do all of these things, but if you've only ever been in technical roles, you may not know how to prove it to an employer. Or you may have accepted a promotion to CISO without formally developing these skills, leaving yourself in a bit over your head.

Enter the EC-Council CCISO credential.

 Best CCISO Training

CISO Certification - Do You have What It Takes?

CISO Certification is conferred by the EC Security Council. It indicates that you have successfully completed its chief information security officer exam,  which experts in the field developed to cover all essential skills of the CISO position.

What's On the Test

To create the CCISO test and certification, an advisory board of expert information security potentials considered all of the content knowledge that an information security executive requires. They then created the exam based on the skills that they believed were most necessary to assess for in an up-and-coming cybersecurity executive.   

The exam covers five content areas: 

  1. Corporate governance

  2. Information security auditing and controls

  3. Projects and operations management 

  4. Core competencies of information security

  5. Finance and strategy development

It's important to notice that this set of domains focuses on business leadership and the application of technical knowledge, not on technical expertise. The test assumes that you have the systems understanding that got you this far. It wants to know if you can apply that understanding to lead an IT security team.

The Prerequisites

To sit the CCISO, you need to be at least 18 years old and have five years of experience in three of the five tested domains. Because so many candidates come to the CCISO exam from information security management, this experience is part and parcel of what they already do.

For those who haven't yet reached this level, CCISO training can lead to an Information Security Manager credential, which serves as a stepping stone to CCISO certification. 

Training For the Test (And the Job)

The CCISO is a demanding test. Even if you have the required five years of experience in three domains, you might not have encountered some of the content that the exam wants you to know. This happens to a lot of CISO hopefuls, whose prior management roles have been more tech-focused than business-focused. 

Alpine Security's Certified CISO training program can help you bridge that gap. 

 CCISO Quick Facts (click to enlarge).

CCISO Quick Facts (click to enlarge).

Certified CISO Training at Alpine Security - Why Us?

Alpine Security's welcomes both live online and in-person students to its hybrid classrooms, so you can train effectively no matter where you are. All trainers are passionate, dynamic, and engaging certified CCISO trainers. Alpine’s trainers are also CISOs. Alpine Security is a an EC-Council Accredited Training Center, so all prep materials are official materials. 

Over the course of a 40-hour intensive week-long course, you develop the skills that give you an edge over other CISO hopefuls. Building on the advanced technical knowledge that has gotten you to where you are today, you acquire the executive management skills that you need to take the next step.
In addition to all of this, your enrollment in Alpine Security's Certified CISO course gets you a pass guarantee for the 2.5-hour, 150-question multiple choice exam.   

Don't let your career advancement wait any longer. Get in touch with Alpine Security today and learn more.  

Alpine Security Extends Holiday Savings on Cybersecurity Certification Training

 Alpine Security’s 2018 Holiday Sale on Cybersecurity Certification Training

Alpine Security is excited to announce the extension of its annual holiday sale, which provides those preparing for cybersecurity exams the opportunity to gain the skills and knowledge they need at a significantly discounted rate. These steep discounts will remain available until December 31st, 2018.

The extended holiday sale provides a 30% discount for all courses included on Alpine Security's public schedule. While this particular discount must be applied by the end of the year, the courses themselves extend until June 2019. As soon as aspiring students decide which courses they wish to take, they can easily apply the holiday discount with the coupon code HOLIDAY30 as they complete the online store's easy-to-navigate checkout process.

Alpine Security's course fees are all-inclusive — exam vouchers and fees are automatically included in the cost of each course. Those who prefer not to pay exam fees upfront can opt-out, and, instead, take courses at a further discounted rate. All cybersecurity courses come with Exam Pass Guarantees — students who do not pass exams on the first try are allowed to resit courses free of charge. Additionally, students who don't feel fully prepared are allowed to resit courses before taking exams.

All of Alpine Security's courses are taught both live online and in-person by industry authorities boasting considerable certificates and real-world experience in penetration testing, incident response, auditing, and forensic analysis. Courses are offered both during the day and in the evening.

Cecilie Kreiner, Alpine Security's Training Manager, hopes this year's significant holiday discount will allow those seeking cybersecurity training to give themselves the gift of a quality education.

"We are excited to offer this holiday sale. We hope current discounts, along with our Exam Pass Guarantee, will convince students to get the training they need. We're thrilled to do our part building a new generation of cybersecurity professionals while making our industry more accessible." - Cecilie Kreiner, Training Manager, Alpine Security

Additional information about Alpine Security's course offerings and Exam Pass Guarantee can be found by visiting the company's website.

ABOUT ALPINE SECURITY

A highly regarded Service-Disabled Veteran-Owned Small Business (SDVOSB), Alpine Security offers a variety of cybersecurity certification courses. The company also provides in-demand cybersecurity services such as penetration testing, risk assessments, incident response, audits, and digital forensics. Based in the St. Louis area and accredited by CompTIA and EC-Council, Alpine Security provides easy accessibility to the cybersecurity skills and services needed both locally and worldwide.

Thursday, December 13, 2018

How Secure are Medical Devices?

 Hacking Pacemakers can Kill People

This blog features an interview of Alpine Security’s CEO, Christian Espinosa, on medical device security by Caroline Cornell, originally posted at classaction.com.

Could you provide an overview of the cybersecurity threats the medical field faces? How big is this problem?  

Medical devices have largely been neglected from a cybersecurity perspective. Many of these devices run legacy operating systems, are full of vulnerabilities, and were not intended to be connected to hospital networks. For ease of management, data access, updates, etc., many medical devices are now connected to hospital networks, which have connections to the Internet.

Hospital networks are inherently unsecure; any threats to a hospital network are transferred to connected medical devices. Threats to implantable devices are primarily due to unsecure wireless communications. Implantables were designed to be easy to monitor and update via wireless technology. It is too risky to perform heart surgery every time a pacemaker or implantable cardioverter defibrillator (ICD) needs to be updated, for example.

The threats to medical devices are a big problem with severe and potentially lethal consequences.

As a white hat hacker, what’s your process for identifying security vulnerabilities? Do you try to hack everything and anything, or do you gravitate towards particular types of devices or networks?

Our process depends on the scope of the engagement. If we are asked to assess a medical device, we typically have several main phases—1) we perform a discovery to learn more about the device; 2) we define a security boundary for the device; 3) we perform a risk assessment of the device; 4) we identify all possible entry points in the system/device; 5) we develop attack trees and assess all entry points into the system using penetration testing and other techniques; 6) based on the results of 1-5, we determine a mitigation strategy; 7) we generate the report.

As for hacking everything and anything, the process I just mentioned applies a risk-based approach to our assessment. We focus on the big-ticket items first with the highest risk to patient safety, emphasizing how the device could be misused and the effect of attacks on data confidentiality, integrity, and availability. We work with manufacturers and providers to fix the most critical items first, then work down a prioritized list, based on the risk. We also run validation tests to ensure remediation steps worked.

How receptive are companies when you do identify a vulnerability? Do they usually address the issue?

Some are more receptive than others. Sometimes we are met with resistance, such as “there’s no way someone would think of doing that.” Most often though, our findings are well-received.

Unfortunately, company bureaucracy, cost, timelines, and other factors present obstacles to fixing devices under development or devices deployed in the field. It is very costly for medical device manufacturers to fix devices that are deployed across the world, or ones that are in the middle of development.

What do you think makes medical devices and hospital networks so appealing to hackers?

“If you can hack into a medical device, you can directly affect a person’s physical state and well-being.”

A couple reasons. One is that PHI (protected health information) is more valuable than other types of information. Patient records sell for more than other types of stolen sensitive data on the black market.

Another reason is the physical effects that can be caused by hacking medical devices. Normally, if you steal credit card data from a web application, you may inconvenience someone—that’s an indirect effect to the person. If you can hack into a medical device though, you can directly affect a person’s physical state and well-being.

What is the one type of security vulnerability that keeps you up at night?

There’s not one that keeps me up at night. I’ve come to terms with the fact that it’s just a matter of time before something catastrophic happens. There’s already been many warning signs, yet there is a head-in-the-sand mindset still. Almost like “if we pretend it’s not there, the threat doesn’t exist.”  

“I’ve come to terms with the fact that it’s just a matter of time before something catastrophic happens.”

If I had to pick one threat that would keep me up at night though, it is the threat of weaponized medical nanotechnology, a form of biomedical hacking. 

Nanotechnology, or “nanotech,” are basically extremely small computers, smaller than a pinhead. Nanobots can be used in the human body for items such as targeting cancer cells to destroy them by delivering chemotherapy to only cancer cells.

These nanobots can also be used to deliver lethal toxins or carry out specific missions in the human body, such as making your arms temporarily unmovable, or similar. The scary thing is they can be introduced to the human body very easily. You could breathe them in and not even know.

Do you think the FDA is doing enough to prevent and respond to cyberattacks?

I think the challenge is identifying who is ultimately responsible for medical device security—the device manufacturer, the user, the hospital, clinic, the Department of Homeland Security, the FDA, the doctor, patient, etc.?

The FDA has basically issued premarket and postmarket guidance for medical devices and passed the responsibility to healthcare delivery organizations (HDOs). According to the FDA, “HDOs are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks.  Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.” 

We recently spoke with a medical professional who told us that “doctors don’t become doctors to protect data.” What role does the average doctor play in maintaining secure medical devices and networks?

I agree with this statement. Doctors have enough to worry about. They should be given a list of “approved medical devices” that they can use and recommend. These devices should be thoroughly vetted for cybersecurity vulnerabilities. Penetration testing and other methods should be used.

The challenge becomes where does this “approved list of medical devices” come from? Who has the approval authority? This is not a simple problem to solve, because medical devices are complex systems with many vulnerabilities, both known and unknown. What is approved today, could be recalled tomorrow. This should not be the responsibility of the doctor.

A Penetration Testing Career – Do You Have What It Takes?

 Penetration Testing Job

Penetration testing, also known as ethical hacking, is one of the hottest jobs in tech today. What other career lets you pretend you're in The Matrix, working your way into systems like a top-level hacker, all without breaking any laws. Oh, and you're getting paid for it.

With a real-world penetration testing job, though, you're not just playing at hacking into systems. You actually are hacking into systems, and your employer's very existence may depend on your ability to do it.

What to Expect From a Penetration Testing Career

As a penetration tester, often known as a “pen” tester, your job is to identify security vulnerabilities in a company's internal systems and outward-facing applications. You might test a whole system, but you'll probably test only part of a system at a time. 

Either way, you are responsible for finding any weaknesses that a hacker could use to get in, so you need to run a lot of tests. 

lot of tests. 

No real job is as glamorous as the movies, and penetration testing really is no exception. Some of the tests you have to run are repetitive. If the system is strong, you'll get a lot of negative findings and just move on to the next test without much fanfare. 

But sometimes, you'll hit the proverbial pay dirt.

You'll figure out how to breach a system before a criminal does. You'll show your client how to patch up the hole in the system and keep sensitive data out of the wrong hands. On those days, you'll earn your client's unending gratitude.

What Kind of Person Does This?

If you're drawn to ethical hacking jobs, you probably have an analytical mind. You love problems because solving them gets your mind working overtime, and you believe that a brick wall is just a test of how badly you want to get to the other side. 

These are the qualities that you need as a penetration tester. It's a challenging job, but some people really thrive in it. These are the people who have:

  • a genuine interest in how systems work 

  • a tactical mindset 

  • a quick mind 

  • persistence to a fault

Perhaps most importantly, though, you need to be a good communicator. Contrary to the stereotype of the reclusive and awkward tech geek, you won't get anywhere in pen testing unless you can communicate your highly technical work to someone in a different field. Put simply, you need to make your client understand what you've found and why it matters.

Great Expectations

When a company hires you as a penetration tester, it puts its most sensitive and valuable data in your hands. Your clients will want to know that you can do the job, so they expect you to have certain skills. First of all,  you need to know everything possible about operating systems, networks, and scripting. 

Also, there are plenty of automated programs out there that can scan for weaknesses, and a client will need you to know more than the program does. You'll need to be able to find vulnerabilities that have no codes or references within the system because they haven't been found by hackers yet.   

You'll need to be able to integrate new exploits into your existing skill set. Tech is constantly evolving, and hackers are always coming up with new ways to breach barriers. You need to be able to hear about a new exploit, try it out, and figure out how to screen for it.   

Finally, it helps if you know how to code. Some pen testers get by without it, but you'll save yourself a lot of time if you have some basic skills in the most widely used coding languages. 

Let's Talk Money

If you're a good fit, you'll find penetration testing to be a rewarding career in more ways than one. Financially, you start out as an entry-level professional with an average salary around $70,000 and by mid-career, the salary average has crested $100,000.   

By the time you are considered experienced, the average salary is around $115,000. Meanwhile, you will have built up your knowledge of the field and potentially supervise more junior professionals.

Starting a Penetration Testing Career

Naturally, a job like this isn't one you can just walk into from your latest gig at McDonald's or Old Navy. You're working with high-security systems and you might have thousands of people's personal data in your hands. You need training and certifications, not to mention the kind of personality that can handle an intensely high-stakes position. 

So it's not surprising that most penetration testers get into the field from other areas of tech, such as systems administration or programming. The majority of hiring companies want the pen tester that they hire to have at least a bachelor's degree in a field related to IT or cybersecurity. Most also ask for particular certifications.

Entry Level Credentials

If you're just getting started in pen testing, one of the entry-level certifications will show an employer that you're serious about the field. Here are a few of the ones they like to see.

 CEH Snapshot (click to enlarge)

CEH Snapshot (click to enlarge)

Certified Ethical Hacker (CEH) 

The CEH certification is an entry-level credential offered by the EC Security Council.  It requires you to pass a 4-hour, 125-question multiple choice exam that covers the latest tactics hackers use to breach security systems. If you pass this portion, you can take a 6-hour practical exam to demonstrate more advanced knowledge.

 CPT

Certified Penetration Tester (CPT)   

The CPT is the entry-level certification offered through the Information Assurance Certification Review Board, more commonly known as the IACRB. The associated multiple-choice exam is two hours and includes 50 questions, 70 percent of which you have to answer correctly to pass.

Intermediate and Advanced Certifications

Even when you're already established in pen testing, you need to show that you're up to date with the latest advances in the field. That's where the more advanced certification programs come in.

 ECSA snapshot (click to enlarge)

ECSA snapshot (click to enlarge)

EC Council Certified Security Analyst (ECSA)

The ECSA is the EC Council's intermediate credential. It requires the candidate to pass a four-hour, 150-question test as well as a 12-hour practical exam. The practical exam presents you with a real organization's network and evaluates your ability to use network scanning, vulnerability analysis, and other common pen testing techniques to get into it.

 CompTIA PenTest+

PenTest+

The PenTest+ certification is offered through CompTIA. It is an intermediate-level exam that features written questions as well as a practical questions. Over the course of 2.75 hours, these challenges evaluate our ability to find a system's weaknesses and develop strategies to address them.

 CEPT Penetration Testing Exam

Certified Expert Penetration Tester (CEPT)

The CEPT test is the IACRB's follow-up to the CPT exam, and it covers the nine domains of penetration testing knowledge.  These include: 

  • Penetration Testing Methodologies 

  • Network Attacks and Recon 

  • Memory Corruption and Buffer Overflow Vulnerabilities 

  • Reverse Engineering 

The nine domains are covered in a 50-question multiple choice test. The candidate has two hours to complete at least 70 percent of the questions correctly to receive a passing score.

Licensed Penetration Tester (LPT)

The LPT is the EC Security Council's most elite certification. Not for the faint of heart, it requires aspiring recipients to endure a three-level, 18-hour exam. Those who succeed are considered to be the industry's top experts. 

Each level of the exam is six hours long and presents you with three challenges. You advance to the next level if and only if you are able to complete at least one of the three challenges.  In all, you need to complete five of the nine challenges to pass the test. 

You can prepare for the LPT by taking EC-Council’s Advanced Penetration Testing course.

 OSCP Certification

Offensive Security Certified Professional (OSCP)

This exam gives you a real-world security situation and 24 hours to solve it. You present your results in the form of notes and screenshots that show what you have learned about the system and its vulnerabilities. Your score depends on the complexity and depth of the vulnerabilities you find.

 OSCE Certification

Offensive Security Certified Expert (OSCE)

This one's a real marathon. It takes 48 hours to complete, but it shows that you know how to tackle the security issues that less advanced ethical hackers can't handle. It's one of the industry's most difficult tests. If you've passed it, companies know that you can take on the toughest problems out there.

Passing the Tests

These are not tests you want to mess around with. It's one thing to have to re-take an exam in undergrad, but not when you're investing up to 18 hours in taking the test alone.  Also, you're depending on these tests to start or advance your career. 

Alpine Security understands what's on the line. That's why we offer preparation courses for all of the most commonly requested tests in cybersecurity, many of which come with an exam pass guarantee and exam voucher. 

Most importantly, Alpine hires successful working penetration testers as its trainers and routinely performs penetration testing - it is one of their main services. This real-world experience assures that you're getting the latest knowledge in the field. Don't wait to start hacking for a living. Contact Alpine today and start hitting the books.