+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Patrick Townsend

Recent Posts

VMWARE MARKETPLACE IS GREAT FOR VENDORS

Posted by Patrick Townsend on Aug 4, 2022 1:15:36 PM

Townsend Security has been a VMware partner for many years. I’ve always found their technical and marketing teams great to work with. A decade ago we started with a basic partnership, then achieved a PCI Data Security Standard validation of Alliance KeyEncryption Strategies for VMware Environments Manager through their partnership with Coalfire, and then achieved certified status of our key manager with VMware encrypted VMs and vSAN. Now we are working towards an enhanced marketplace presence where our customers can actually purchase our key manager through the VMware marketplace portal.

Here is a blog that we wrote together and just published on the VMware blog:

https://blogs.vmware.com/tap/2022/07/21/vmware-marketplace-benefits-from-a-partners-point-of-view/

If you are a VMware partner and have a solution that enhances the VMware customer environment you should really look at the new marketplace features!

PatrickEncryption Key Management for VMware Cloud Providers

Topics: VMware, vSAN, vSphere Encryption

Verizon 2022 Data Breach Investigations Report (DBIR)

Posted by Patrick Townsend on Jun 14, 2022 2:10:41 PM

I really like the annual Verizon Data Breach Investigations Report. The Verizon team succeeds at making the report detailed enough to be helpful, but also easy to read. The 2022 DBIR report is now out and it is a good read (see the link below to get the report). Here are just a few of my take-aways on the new report.

Phishing and stolen credentials are still the most common pathways to a ransomware infection and a data breach. Cybercriminals use phishing emails with poisoned links or attachments to break into your local system, and then worm their way into the IT infrastructure of your company or organization. Also, cybercriminals leverage the gains of past work to use compromised credentials to break into your systems. Because we humans tend to re-use our passwords, or use weak passwords, stolen credentials are one of the main ways criminals get access to our systems. There are other methods of compromise, but phishing and compromised credentials are the most common ways of gaining access. More on what you can do below.Encryption Strategies for VMware Environments

We are still very much reliant on email to conduct our work. Yes, we use other messaging methods like Slack and Microsoft Teams, but we still tend to use a lot of email. Cybercriminals know they can target us through phishing emails. And we shouldn’t be naïve. These emails are now very sophisticated and can be hard to recognize. They look like the come from a colleague, or business partner, or vendor, or even our family members. But they contain deadly links and attachments.

What can we do thwart phishing emails? Here are a few of the ways we can protect ourselves:

  • Conduct employee training on how to detect phishing emails. It is amazing how effective this can be. We do this at Townsend Security on a regular basis. And there is a bonus for acing the test! Full disclosure – I did not ace the test the last time, but I learned a lot from the exercise and we will do it again.

  • An overlooked way to minimize the threat is to use an email service that builds in phishing email protection. Here at Townsend Security we use commercial Google Gmail infrastructure which helps in this area, but other email systems also provide this. If you are on an older email server infrastructure, it makes sense to migrate now.

  • You should also disable macros in Word and Excel. Never allow code to execute from an untrusted party, and always be suspicious even if you think you know the person sending the email to you. If you are not expecting the email with an attachment or link, do not trust it. I’ve often just picked up the phone and called the sender to check.

Stolen credentials are also a big problem. Here are a few steps you can make to minimize this threat:

  • Activate Multi-Factor Authentication (MFA) on all of your important accounts. This will go a long way to preventing the use of stolen credentials. Applications like Authy or Google Authenticator can make this easier.

  • Use strong passwords and avoid re-using a password. This is incredibly hard without the use of a password manager. There are many password managers that you can use. LastPass and 1Password come to mind. But there are others.

  • Periodically check to see if your credentials have leaked. Use the “Have I Been P0wnd” website to check your email address. If you use the Google Chrome browser you can use the built-in feature to show you where your passwords may have been leaked.

When it comes to analyzing who the main targets are, the report is very helpful. Many of the industries come as no surprise. Banks and financial services are high on the list. And healthcare providers are right up there, too. But did you know that schools are a target? And technology companies? And manufacturers? It turns out that almost everyone is a target! The report breaks these vertical segments out in some detail and it is enlightening to research your own industry segment for helpful pointers on how attacks are likely to play out.

Here are a few other items in the report that I found interesting:

The SolarWinds attack was a supply chain attack that was surprising and new. It made the news because of its devastating and rapid spread. It represented a relatively new attack vector with a high level of sophistication. Related to this is a new focus by attackers on MSPs and ITSOs. MSPs represent a valuable target as they often provide access to a large number of downstream end customers. Perhaps because of the SolarWinds attack the federal government is trying to strengthen the security posture of its suppliers. The new CMMC regulations are a part of this.

Ransomware is still on the rise. In spite of the fact that we are now quite aware of ransomware and how it works, it is increasing in terms of the frequency and number of attacks. This is probably because the attackers find it easy to execute and because it is so profitable. While the Verizon report does not talk much about data exfiltration due to ransomware, this is now a part of most ransomware attacks. If you don’t pay the ransom you will be threatened with the release of your sensitive data. That’s why we here at Townsend Security have been talking about encrypting all of your sensitive data.

In the past the health industry was a target due to the availability of patient medical information. Now the health industry is a target because of Personally Identifiable Information (PII). Perhaps this is because medical records systems are better at protecting patient medical information, but have not yet extended protections to good old PII?

Manufacturers are an increasing target. In the past manufacturers were the target of espionage efforts for IP theft. This is still true, but now the ransomware attackers are looking for quick gains from manufacturers. Espionage attacks are harder to detect as the attacker often does not want to be discovered. On the other hand, ransomware attackers WANT you to know they are there! And manufacturers are motivated to quickly make ransom payments in order to get their facilities back up and running.

If I did not mention your industry segment be sure to read the report. It covers a lot of different segments!

Hey, small businesses – heads up! You are now a prime target of ransomware attacks. You might be thinking that you are small fish and not worth the bother. That’s not true – payment of a small ransom is just fine for attackers. No more putting our heads in the sand. From the Verizon report:

“Contrary to what many may think, very small organizations are just as enticing to criminals as large ones, and, in certain ways, maybe even more so. Threat actors have the “we’ll take anything we can get” philosophy when it comes to cybercrime. These incidents can and have put small companies out of business. Therefore, it is crucial that even very small businesses (10 employees or less) should take precautions to avoid becoming a target.”

Small businesses especially need to improve their security around phishing and stolen credentials. If you are a small business and are being served by an outside Managed Service Provider, contact us. We have a special program that will empower your MSP to deliver encryption of sensitive data at a very reasonable cost.

The Verizon report doesn’t just tell us what happened. It gives some good pointers on what we can actually do to help prevent a data breach. See page 76 of the report for a very practical and achievable set of steps you can start taking right now.

If you are a security professional, this report is well worth a read. It helps us understand the mindset of the cybercriminal and how their techniques are evolving. If you are not a security professional, you might also like to peruse this report. It is very readable and even has some not-so-lame humor!

Patrick

Resources:

The Verizon Data breach report:

https://www.verizon.com/business/resources/reports/dbir/

CISA ransomware prevention guidance:

https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

Google phishing training:

https://phishingquiz.withgoogle.com/

Have I been Pwnd:

https://haveibeenpwned.com/

New call-to-action

Topics: Encryption, Phishing, CyberSecurity

Your KMS as an Early Warning System for a cyber attack

Posted by Patrick Townsend on Jun 2, 2022 1:28:54 PM

Cyber-attacks are executing at much faster speeds now. In the past you might find that an attacker waited weeks or months after gaining access to your system before stealing sensitive data. Those days are mostly gone. An attacker now can execute in a few minutes or hours. Early detection is critical for interrupting an attack. And a fast response is crucial to stopping the attack.Encryption Strategies for VMware Environments

There is a good chance that you are already encrypting your sensitive data to prevent it from being used for extortion by a ransomware attacker. If you are already encrypting your data, you are also probably using a key management system (KMS) to store your encryption keys. That is a security best practice, and the right thing to do.

Are you ready for the next step?

Did you know that your KMS can play an important part in early detection of an attack? Your key management system should be collecting key retrieval activity into real-time logs. For example, our Alliance Key Manager logs every single action that takes place including key creation, retrieval, deletion, and so forth. Why not use these logs to help detect an attack? After all, the attacker is going to try to steal the data, and that means there will likely be activity on the key manager. And that means a KMS log can help you thwart an attack.

How can we implement this in a real environment?

Our Alliance Key Manager solution comes with log forwarding capability already built in. It is easy to start forwarding the KMS activity log to your SIEM solution using the common syslog-ng protocol. All SIEMS can ingest the KMS activity log, so just start forwarding them.

Next, train your SIEM to detect anomalies. A good SIEM is really good at anomaly detection! So let’s put it to work. Here are some KMS events that should be early warning signs of an attack in progress:

  • Retrieving an encryption key at an unusual time of the day.
  • Retrieving an encryption key on an unusual day.
  • Failure to retrieve a key for an extended period of time.
  • Unusually high level of key retrieval requests.
  • Unexpected user attempts to retrieve a key.
  • Attempts to retrieve a key that does not exist.
  • Failed TLS negotiation to retrieve a key.
  • Key retrieval request from an unusual IP address.

As you can see there are many events or patterns that can indicate the activity of an attacker. And KMS logs are likely to show this activity early in the attack. Training your SIEM to alert on this activity is usually pretty easy to do, but that depends on the functions of the SIEM.

Another big bonus for integrating the KMS with your SIEM is that many SIEMS can now take pro-active and automatic steps to thwart an attack. In addition to alerting the IT staff of a potential attack, some SIEM solutions can execute scripts that take a database off-line, or even take the key manager off-line. You can get very creative with the automatic responses to a cyber-attack.

Your KMS can be your “canary in a coal mine”. The features are there ready to be put to use.

If you are running our Alliance Key Manager solution just raise a problem ticket with our support team to get some pointers on how to forward logs to your SIEM. It will be easy to do.

PatrickPodcast: State of Encryption Key Management

Topics: Encryption, Key Management, Ransomware, KMS

Interview with website planet

Posted by Patrick Townsend on Apr 14, 2022 10:13:26 AM

 

Web developers have some unique challenges when it comes to securing data at rest. It is now standard practice to implement secure connections via HTTPS to protect data in motion. This was probably helped along by Google search as it prioritizes secureProtecting Encryption Keys in AWS websites. But in my opinion there has not been the same focus on securing sensitive data at rest in web files and databases. So I accepted an invitation to talk to the folks over at Website Planet. You can find the interview here:

https://www.websiteplanet.com/blog/townsendsecurity-interview/

Disclaimer: Neither I nor Townsend Security have any business relationship with Website Planet.

Enjoy.

Patrick

 

 

Podcast: State of Encryption Key Management

Topics: Encryption, Key Management, Defense-in-Depth, Cloud Security

Ransomware evolution - “Devastating innovation”

Posted by Patrick Townsend on Feb 22, 2022 4:40:02 PM

The new Sophos Threat Report for 2022 is just out and it is a good read (the link is below). In addition to ransomware the report talks about the increasing role of Artificial Intelligence as a part of both defense and offense, and other topics I think you would find interesting. Sophos is on the front lines of trying to help organizations who have fallen victim to ransomware. This statement in the threat report about new ransomware techniques really struck me:

“Ransomware is only as good as your backups, or so an adage might go if any existed. The truth of this statement became the basis for one of the most devastating “innovations” pioneered by some threat actor groups involved in ransomware schemes in the past several years: the rise of extortion in ransomware attacks.”

Delivering Secure VMware Hosting with Encryption and Key ManagementWe all know that we have to have a really good backup and recovery strategy to deal with a ransomware attack. From the Threat Report:

“Increasingly, large organizations have been getting the message that ransomware attacks were costly but could be thwarted without the need for a ransom payment – if the organization kept good backups of the data the attackers were encrypting and have been acting on it by engaging with large cloud backup firms to keep their systems cloned. After all, if, for instance, you only lost one day’s worth of work, it would be a manageable loss, completely survivable for the targeted organization, if they chose to restore from backups rather than pay the ransom.”

But did you know that the attackers have innovated with a “double extortion” strategy? Backups can help you recover from the loss of your systems due to poisonous encryption. But the attackers are now stealing your sensitive data and threatening to publicly release it if you don’t pay the ransom. That is the second part of the “double extortion”, and is the “devastating innovation.”

“We have to presume that the ransomware groups were also getting the message because they weren’t getting paid. They took advantage of the fact that the average “dwell time” (in which they have access to a targeted organization’s network) can be days to weeks and started using that time to discover an organization’s secrets—and move everything of value to a cloud backup service themselves. Then, when the ransomware attack struck, they’d layer on a second threat: pay up or we release your most sensitive internal documents, customer information, source code, patient records, or, well, anything else, to the world.”

How do we respond to this new, double extortion ransomware threat?

First, we have to do the things we’ve always done:

  • Backup everything to be prepared to restore systems and data.
  • Monitor our environments for anomalous events and behavior.
  • Educate our employees and service providers on good technology and email practices.

Now we need to add one more practice:

  • Encrypt sensitive information to deny it to the attackers.

To defend against the “double extortion” we now have to deny hackers access to our sensitive information through the use of defensive encryption. If the attacker steals our data but can’t read it, we have defeated the new “Devastating Innovation”. I know that it is a bit ironic that we have to use the same tool as the hackers – encryption – to defeat the hackers. But it is a tool that we have readily at hand. All major database, virtualization, and storage solutions make it easy to encrypt data. And that’s what we need to do now. As in, right now!

Here is one critical thing to consider when you start implementing encryption as the next part of your ransomware strategy:

Your encryption is only as strong as your management of encryption keys.

When you encrypt your sensitive data, you have to protect the secret key that unlocks the data. That is actually the hardest part of an encryption strategy. It is important to get this right from the start. This is where Enterprise Key Management systems come into play. They give you the means to protect your encryption keys away from the data they protect.

We are helping our customers deploy encryption to defeat ransomware with our Alliance Key Manager solution. You can encryption databases, VMware infrastructure, Cloud data, Big data, and much more. More information here:

https://townsendsecurity.com/products

If you are a Managed Service Provider (MSP, MSSP) or IT Services Organization (ITSO), you can find out more about how we empower our partners to meet this challenge. More information here:

https://townsendsecurity.com/msp

Stay safe,

Patrick

Resources:

The Definitive Guide to Encryption Key Management Fundamentals:

https://info.townsendsecurity.com/ebook-definitive-guide-to-encryption-key-management-fundamentals

The Sophos 2022 Threat Report:

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdfDownload Alliance Key Manager

Topics: Alliance Key Manager, Encryption, Key Management, Ransomware

Alliance Key Manager – No Log4Shell (Log4J) vulnerability

Posted by Patrick Townsend on Dec 18, 2021 4:37:43 PM

December 17, 2021

The Log4Shell (Log4j) vulnerability represents a potentially severe security threat to all companies who deploy internal or third-party applications that use the Java Log4j logging facility. The relevant security notice is CVE-2021-44228. Our customers and partners have inquired if Alliance Key Manager is subject to this new vulnerability.

Link to the CVE:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

SQL Server Standard Edition & TDEAfter technical review and external application scanning (Nessus) we can report that Alliance Key Manager is not subject to this vulnerability. This applies to all platforms where Alliance Key Manager can be deployed including VMware, Microsoft Azure, Amazon AWS, and the Townsend Security HSM. The primary key management interface to Alliance Key Manager is a secure TLS interface that is implemented on the server side via ANSI C application code for both traditional and KMIP operations. All inputs are validated before processing. No use is made of Java for logging functions. The user, administrative, encryption and mirroring functions of key management interfaces are logged using native ANSI C functions. Some server management functions use logging via the Python language. 

Currently supported versions of Alliance Key Manager are 4.6 and newer including 5.x. If you are running an earlier version of Alliance Key Manager you are not subject to the Log4Shell vulnerability, but you should contact Townsend Security support to upgrade as soon as possible.

If customers and partners have any questions about this vulnerability then can contact Townsend Security through normal problem ticketing options. Others may send email to info@townsendsecurity.com.

Townsend SecurityEncryption Key Management for VMware Cloud Providers

Topics: MSP, CyberSecurity, Log4Shell, Log4j

Why Online Gaming Sites Need to Prioritize Data Privacy & Digital Security

Posted by Patrick Townsend on Nov 9, 2021 12:05:07 PM

 

Whilst the pandemic has caused untold stress for many around the planet, some businesses and industries have thrived from people experiencing a more sedentary lifestyle. The boom in online shopping and particularly online gaming has been phenomenal. However, with that growth has also brought another concerning issue of its own.

With more people inputting their data across the web, and companies relying on modern technologies, it has given hackers more scope to aim their sights at unsuspecting victims.

Earlier this year it was estimated by Homeland Security Secretary, Alejandro Mayorkas, that $350 million was handed out to just some of the hackers who engage in ransomware schemes. With Colonial Pipeline CEO, Joseph Blount, admitting that they paid out $11 million following an attack which saw their Eastern Seaboard gasoline supply shut down. This was all down to not having a multifactor authentication login system. It shows how easy it can be. It’s exactly why modern, digitally based businesses, should be very mindful of the impact that having a lax attitude to security can have.

Growth of online gaming

With the online gaming industry being valued at almost $174 billion in 2020, it’s easy to see why this is one area where criminals are looking to get a foot in the door. The industry is an ever-evolving animal, with some journalists suggesting that online video gaming is the new social media. This extra social interaction, could be said to lower inhibition and present more opportunities for exploitation. It is not only about losing money, if data is exploited then accounts can easily be ‘taken over’. Account takeovers are not uncommon. This results in players losing access to games and potentially more, due to unintentionally giving away their account details.

This is something, which if not taken seriously, will also affect the online casino industry. Although CNBC have reported this is an area which is already being targeted by cyber criminals more than ever before.

With the potential prizes on offer, and the subsequent amounts held and deposited by players, the criminals are waiting to pounce. At the time of writing, the slot games on Gala Bingo, for example, are openly advertising jackpots of $96,000 and $22,000. So, at any point players could have those large amounts and more in their account. Then if you consider hacking attempts on the gaming industry have already risen by 261% during the second quarter of 2021. That’s in comparison to the same time last year. So, almost in parallel with the growth of the industry, the hackers are looking to exploit players new and old.

What are companies doing to stop these attacks?

In the online casino industry, some companies have moved to using cryptocurrency as a means of tightening security. The blockchain technology affords its owners added safety, by design it’s almost impervious to the risk of data substitution and corruption. Utilizing blocks of transactions stored in chronological order, it becomes near impossible for this chain to be interrupted. One change would break the chain, therefore rendering the 'currency' valueless.

Adding another layer of added security is, two-factor authentication. This is something which is certainly becoming more prevalent in both video and casino gaming. This is where users will need two forms of ID to login to their accounts. Typically this will include not only your password to your account, but then a code would be sent via a cellphone application like Google Authenticator or Authy, an email or sometimes via text message to a cellphone. This code needs to be inputted within a certain time period to access your account. Now, unless you’ve lost your cellphone too, it makes it much harder for people to access the account.

Lastly, it is important to encrypt sensitive data at rest. If other protections fail and hackers are able to steal the data, they won’t be able to use it to threaten its release and extort payments from you. In this case encryption is your friend! We don’t hear much about data breaches where encrypted data is stolen for good reason. If hackers don’t have the encryption key, they can’t use the data against you.

Companies are certainly doing what they can to help stave off the threat of cybercrime to themselves and their customers. However, there's still a long way to go. But as you can see with the amount of growth in the industry, it's clear why gaming sites should continue to prioritize data and digital security.

If you need any help or information, we have all the resources to assist you and your business here at Townsend Security.

PatrickeBook: Definitive Guide to Encryption Key Management

Topics: Encryption, Key Management, CyberSecurity

The MSP Threat Report and Take-Aways

Posted by Patrick Townsend on Oct 26, 2021 2:51:26 PM

I’ve been reading the 2021 MSP Threat Report from Perch (a ConnectWise company). It has a great review of the evolving threats to MSPs and their customers from ransomware attackers this last year. What I like about this report that it puts a number of relevant factors into perspective. Why are MSPs a target? What do the attacks look like? Who are some of the groups that are behind these attacks? What do they want (doh)? How are MSPs responding, and how effective are these responses? And, of course, what should MSPs be doing to counter the ransomware threats.

You can find the report here:

https://www.connectwise.com/resources/ebook-2021-msp-threat-report

Here are a few of the take-aways that I found interesting:

MSPs represent a valuable target. Why is that? Well, it turns out that MSPs are theVMware Cloud Providers & MSPs - Win New Business gateway to a lot of end customers. They call this the “Buffalo Jump”. If an attacker can compromise an MSP they can get downstream access to all of the MSP’s customers. Based on some industry averages Perch estimates that an MSP an its customers represent a $2 BILLION opportunity. Yeah, that’s Billion with a “B”. The attacker expects to collect a ransom payment from the MSP and from each of the MSP’s end customers. The financial incentives to attack and MSP are huge.

As we know from recent experience the MSPs who have been attacked were surprised by the event. In many cases the MSP systems were not compromised, but the software they used to manage their business became the path to the compromise. A so-called “supply chain” attack. However, the supply chain attack does not cover all of the MSPs who encountered problems – many experienced routine phishing attacks and credential compromises. But the multiplier effects of the supply chain attacks stretched the resources of many MSPs.

The characteristics of a ransomware attack are pretty well known now. The common sequence of events of a ransomware attack are:

  • Infiltration – access to the MSP and their end customer.
  • Planting malware on breached systems.
  • Exfiltration – steal copies of the data to the attacker’s server
  • Poisonous Encryption – deny you access to your data and systems using a secret key.
  • Extort the ransom – usually through cryptocurrency payments.
  • Release of the hostage – decryption of your hostage data (if you are lucky).

While theft of data is common in traditional data breaches, the Exfiltration step is relatively new in ransomware attacks, and this is where many ransomware defenses fail. The MSP and the end customer may be able to restore systems from backups, but that won’t stop the extortion attempt. The ransomware attacker now has your sensitive data and threatens to release publicly it if the ransom payment is not made. The release of sensitive information can be devastating to MSPs and to their end customers. The threat is real and substantial. You need a backup and restore strategy, but it won’t protect you from the threat of the release of sensitive data.

What can you do?

The Perch Threat Report does not discuss this, but you do have tools to protect against Exfiltration. You have the ability to encrypt your data before the attacker with your own secret key. And that is what I call “Defensive Encryption”. You must encrypt your sensitive data first. The attacker can’t use the Exfiltrated data against you if they can’t read it. This is where encryption becomes you friend. Defensive Encryption renders Exfiltration useless by denying the attacker the ability to extort the MSP and the end customer. You still have to restore from backup, but you are in a much stronger position to defeat the extortion attempt.

There is a lot to like about the 2021 Perch Threat Report. It is concise but at the same time covers a lot of ground. I think this is an excellent report to share with upper management in your company. If you are an MSP you can share this with your end customers to help get them motivated.

MSP Note:

If you want to move forward with Defensive Encryption we have a solution you are going to love. Proper encryption key management is crucial to an encryption defense, but MSPs can be put off by the cost of key management systems. We’ve solved that problem. More here:

https://info.townsendsecurity.com/msp

PatrickEncryption Key Management for VMware Cloud Providers

Topics: Encryption, Partner, Ransomware, MSP

HIPAA, Ransomware and ePHI - Encrypt Your Data Now

Posted by Patrick Townsend on Jun 29, 2021 3:04:55 PM

Ransomware criminals have been going after Hospitals, Clinics, Radiologists, Physician practices and all manner of organizations in the medical sector. These are “Covered Entities” in HIPAA compliance lingo. In response to the Ransomware threat the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) made this strong statement this last week:

“OCR is sharing the following alerts from the White House and Cybersecurity and Infrastructure Security Agency (CISA).  Organizations are encouraged to review the information below and take appropriate action.

White House Memo: What We Urge You To Do To Protect Against The Threat of Ransomware

Anne Neuberger the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology has released a memo titled “What We Urge You To Do To Protect Against The Threat of Ransomware.”  

Here is the link in full:

https://www.whitehouse.gov/wp-content/uploads/2021/06/Memo-What-We-Urge-You-To-Do-To-Protect-Against-The-Threat-of-Ransomware.pdf

In addition to the White House guidance, HHS/OCR provides this fact sheet and guidance:

https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

Podcast on How to Avoid a Data Breach Notification with Encryption and Key ManagementThese are short documents that are non-technical in nature and provide clear guidance for any Covered Entity under HIPAA data security requirements. If you have management responsibility in any healthcare organization, these are probably the most important things you can read right now. If you are an IT or security professional in a healthcare organization, use this information to inform and motivate your management team. 

Here are few quick takeaways with a focus on encryption and avoiding breach notification:

  • Encrypt your patient information (ePHI) wherever it resides (servers, laptops, mobile phones, etc.). Here is what HHS/OCR says:

“If the electronic PHI (ePHI) is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer “unsecured PHI,” then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.”

Interpretation: Encryption is your “Get Out of Jail Free” card. If you do it right.

  • Full Disk Encryption (FDE) is not enough:

“If full disk encryption is the only encryption solution in use to protect the PHI and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted with the same access levels granted to the user.

Because the file containing the PHI was decrypted and thus “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed. Under the HIPAA Breach Notification Rule, notification in accordance with 45 CFR 164.404 is required unless the entity can demonstrate a low probability of compromise of the PHI based on the four factor risk assessment (see 45 C.F.R. 164.402(2)).”

Full disk encryption is pretty easy to deploy. However, it just does not provide enough security. Use database or application layer encryption that provides more granular control over the decryption of ePHI. Self-Encrypting Drives (SEDs) and full disk encryption will not pass muster.

  • Encryption Key Management is essential

You’ve heard this expression:

“A chain is only as strong as its weakest link.”

In an encryption strategy the weakest link is usually encryption key management. The encryption key is the secret you need to protect. Storing the encryption key on the same server or device as the ePHI will never be an acceptable practice. Always use a professional encryption key management solution that protects and stores the encryption key away from the sensitive ePHI data.

Encryption is not the only security effort you need to make, but in my experience it is the one thing healthcare organizations tend to ignore. I think this is because the HIPAA law considers encryption an “addressable” security control. This means you are not required to do it IF you have other equivalent controls in place. But if you are not encrypting your data and you have a data breach through Ransomware or other cyber attack, then you have “ipso facto” not protected your information well enough and you are in for a breach notification, OCR/HHS compliance action (ouch!), potential fines, and litigation. That won’t be fun, and it will be a lot more expensive than encryption.

We help a lot of healthcare providers meet the HIPAA security requirement. If you are storing ePHI in SQL Server, MongoDB, MySQL or in a VMware architecture or cloud platform, we have an affordable, easy solution for you. More information on our website:

https://townsendsecurity.com

If you are a Managed Service Provider (MSP) helping healthcare providers meet HIPAA compliance, we have a partner program for you that you are going to love. There is no entity so small that you can’t help them get secure. You can find out more here:

https://info.townsendsecurity.com/msp

Patrick

Achieve Safe-Harbor Status from HIPAA Breach Notification

Topics: Encryption, Encryption Key Management, HIPAA, MSP, CyberSecurity, ePHI

IT's OFFICIAL - ENCRYPTION FOR RANSOMWARE PROTECTION

Posted by Patrick Townsend on Jun 15, 2021 3:22:26 PM

If you’ve been following this blog recently you know that I’ve been advocating for the use of encryption to help prevent ransomware attacks. Ransomware attackers have been adapting to the new reality that a lot of companies have deployed good backup strategies to recover their files. Without that leverage the attackers can’t extort payments for recovery of your systems.

So, what are they doing now? They are exfiltrating your sensitive data and using that as additional leverage. 

Encryption Strategies for VMware EnvironmentsOh, you have backups and you don’t want to pay? OK, we took your sensitive data and we are going to publish it. Do you have secret intellectual property or business plans? Do you have sensitive medical information on your patients? Do you have sensitive information about children in your care? 

Under this kind of pressure many ransomware victims decide to pay the ransom. 

That’s why it is important to encrypt your data before a ransomware attack. If the attacker can’t read your data because it is encrypted they can’t threaten to release it.

It has been frustrating to me that most security recommendations on how to protect yourself from a ransomware attack omit the step of encrypting your data first.

But that has now changed! And it is long overdue.

Here is what President Biden’s new executive order recommends (emphasis added):

What we urge you to do now:

Implement the five best practices from the President’s Executive Order:President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack. 

And  more ...

And this:

For Federal Agencies:

Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.

Encryption is not the only thing you need to do, but it is a critical part of a ransomware protection strategy. It is heartening to see this being recognized.

There is some good news: Encryption is fast, easy and affordable. If you are a small or midsize organization you will be glad to know that there is an affordable solution for your encryption strategy. Encryption and encryption key management are no longer the headaches they once were. You or your IT Support organization can address your encryption needs in a rapid manner. 

If you are an IT Support Provider or Managed Service Provider trying to help your customers with security, you are going to love our MSP Partner program. Affordable key management for VMware and the cloud, usage-based billing, and no upfront fees. You will be profitable from the first customer. More information here: 

https://townsendsecurity.com/msp

Ransomware attacks can be devastating to an organization, but you have tools to protect yourself. Give us a call.

Patrick

References:

https://image.connect.hhs.gov/lib/fe3915707564047b761078/m/1/8eeab615-15a3-4bc8-8054-81bc23a181a4.pdf

https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/

Encryption & Key Management for VMware Cloud Providers

Topics: Alliance Key Manager, Encryption, Encryption Key Management, VMware, Ransomware, MSP

Blog-CTA-VMware-CSP
 
The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 
 

Recent Posts

Posts by Topic

see all