Daily Archives: June 10, 2019

Project Svalbard: The Future of Have I Been Pwned

Project Svalbard: The Future of Have I Been Pwned

Back in 2013, I was beginning to get the sense that data breaches were becoming a big thing. The prevalence of them seemed to be really ramping up as was the impact they were having on those of us that found ourselves in them, myself included. Increasingly, I was writing about what I thought was a pretty fascinating segment of the infosec industry; password reuse across Gawker and Twitter resulting in a breach of the former sending Acai berry spam via the latter. Sony Pictures passwords being, well, precisely the kind of terrible passwords we expect people to use but hey, actually seeing them for yourself is still shocking. And while I'm on Sony, the prevalence with which their users applied the same password to their Yahoo! accounts (59% of common email addresses had exactly the same password).

Around this time the Adobe data breach happened and that got me really interested in this segment of the industry, not least because I was in there. Twice. Most significantly though, it contained 153M other people which was a massive incident, even by today’s standards. All of these things combined – the prevalence of breaches, the analysis I was doing and the scale of Adobe – got me thinking: I wonder how many people know? Do they realise they were breached? Do they realise how many times they were breached? And perhaps most importantly, have they changed their password (yes, almost always singular) across the other services they use? And so Have I Been Pwned was born.

I’ll save the history lesson for the years between then and today because there are presently 106 blog posts with the HIBP tag you can go and read if you’re interested, let me just talk briefly about where the service is at today. It has almost 8B breached records, there are nearly 3M people subscribed to notifications, I’ve emailed those folks about a breach 7M times, there are 120k people monitoring domains they’ve done 230k searches for and I’ve emailed them another 1.1M times. There are 150k unique visitors to the site on a normal day, 10M on an abnormal day, another couple of million API hits to the breach API and then 10M a day to Pwned Passwords. Except even that number is getting smashed these days:

Oh – and as I’ve written before, commercial subscribers that depend on HIBP to do everything from alert members of identity theft programs to enable infosec companies to provide services to their customers to protecting large online assets from credential stuffing attacks to preventing fraudulent financial transactions and on and on. And there are the governments around the world using it to protect their departments, the law enforcement agencies leveraging it for their investigations and all sorts of other use cases I never, ever saw coming (my legitimisation of HIBP post from last year has a heap of other examples). And to date, every line of code, every configuration and every breached record has been handled by me alone. There is no “HIBP team”, there’s one guy keeping the whole thing afloat.

When I wanted an infographic to explain the architecture, I sat there and built the whole thing myself by hand. I manually sourced every single logo of a pwned company, cropping it, resizing it and optimising it. Each and every disclosure to an organisation that didn't even know their data was out there fell to me (and trust me, that's massively time-consuming and has proven to be the single biggest bottleneck to loading new data). Every media interview, every support request and frankly, pretty much every single thing you could possibly conceive of was done by just one person in their spare time. This isn't just a workload issues either; I was becoming increasingly conscious of the fact that I was the single point of failure. And that needs to change.

It's Time to Grow Up

That was a long intro but I wanted to set the scene before I got to the point of this blog post: it’s time for HIBP to grow up. It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that's able to do way more than what I ever could on my own. To better understand why I’m writing this now, let me share an image from Google Analytics:

Project Svalbard: The Future of Have I Been Pwned

That graph is the 12 months to Jan 18 this year and the spike corresponds with the loading of the Collection #1 credential stuffing list. It also corresponds with the day I headed off to Europe for a couple of weeks of “business as usual” conferences, preceded by several days of hanging out with my 9-year old son and good friends in a log cabin in the Norwegian snow. I was being simultaneously bombarded by an unprecedented level of emails, tweets, phone calls and every other imaginable channel due to the huge attention HIBP was getting around the world, and also turning things off, sitting by a little fireplace in the snow and enjoying good drinks and good conversation. At that moment, I realised I was getting very close to burn-out. I was pretty confident I wasn’t actually burned out yet, but I also became aware I could see that point in the not too distant future if I didn’t make some important changes in my life. (I’d love to talk more about that in the future as there are some pretty significant lessons in there, but for now, I just want to set the context as to the timing and talk about what happens next.) All of this was going on at the same time as me travelling the world, speaking at events, running workshops and doing a gazillion other things just to keep life ticking along.

To be completely honest, it's been an enormously stressful year dealing with it all. The extra attention HIBP started getting in Jan never returned to 2018 levels, it just kept growing and growing. I made various changes to adjust to the workload, perhaps one of the most publicly obvious being a massive decline in engagement over social media, especially Twitter:

Project Svalbard: The Future of Have I Been Pwned

Up until (and including) December last year in that graph, I was tweeting an average of 1,141 times per month (for some reason, Twitter's export feature didn't include May and June 2017 and only half of July so I've dropped those months from the graph). From Feb to May this year, that number has dropped to 315 so I've backed off social to the tune of 72% since January. That may seem like a frivolous fact to focus on, but it's a quantifiable number that's directly attributable to the impact the growth of HIBP was having on my life. Same again if you look at my blog post cadence; I've religiously maintained my weekly update videos but have had to cut way back on all the other technical posts I've otherwise so loved writing over the last decade.

After I got home from that trip, I started having some casual conversations with a couple of organisations I thought might be interested in acquiring HIBP. These were chats with people I already knew in places I respected so it was a low-friction “put out the feelers” sort of situation. It’s not the first time I’d had discussions like this – I’d done this several times before in response to organisations reaching out and asking what my appetite for acquisition was like – but it was the first time since the overhead of managing the service had gone off the charts. There was genuine enthusiasm which is great, but I quickly realised that when it comes to discussions of this nature, I was in well over my head. Sure, I can handle billions of breached records and single-handedly run a massive online data breach services that’s been used by hundreds of millions of people, but this was a whole different ballgame. It was time to get help.

Project Svalbard

Back in April during a regular catchup with the folks at KPMG about some otherwise mundane financial stuff (I've met with advisers regularly as my own financial state became more complex), they suggested I have a chat with their Mergers and Acquisition (M&A) practice about finding a new home for HIBP. I was comfy doing that; we have a long relationship and they understand not just HIBP, but the broader spectrum of the cyber things I do day to day. It wasn't a hard decision to make - I needed help and they had the right experience and the right expertise.

In meeting with the M&A folks, it quickly became apparent how much support I really needed. The most significant thing that comes to mind is that I'd never really taken the time just to step back and look at what HIBP actually does. That might sound odd, but as it's grown organically over the years and I've built it out in response to a combination of what I think it should do and where the demand is, I've not taken the time to step back and look at the whole thing holistically. Nor have I taken enough time to look at what it could do; I'm going to talk more about that later in this post, but there's so much potential to do so much more and I really needed the support of people that specialise in finding the value in a business to help me see that.

One of the first tasks was to come up with a project name for the acquisition because apparently, that's what you do with these things. There were many horribly kitschy options and many others that leaned on overused infosec buzzwords, and then I had a thought: what's that massive repository of seeds up in the Arctic Circle? I'd seen references to it before and the idea of a huge vault stockpiling something valuable for the betterment of humanity started to really resonate. Turns out the place is called Svalbard and it looks like this:

Project Svalbard: The Future of Have I Been Pwned

Also turns out the place is part of Norway and all these things combined started to make it sound like a befitting name, beginning with the obvious analogy of storing a massive quantity of "units". There's a neat video from a few years ago which talks about the capacity being about a billion seeds; not quite as many records as are in HIBP, but you get the idea. Then there's the name: it's a bit weird and hard to pronounce for those not familiar with it (although this video helps), kinda like... pwned. And finally, Norway has a lot of significance for me being the first international talk I did almost 5 years ago to the day. I spoke in front of an overflowing room and as the audience exited, every single one of them dropped a green rating card into the box.

That was an absolute turning point in my career. It was also in Norway this January that HIBP went nuts as you saw in the earlier graph. It was there in that little log cabin in the snow that I realised it was time for HIBP to grow up. And by pure coincidence, I'm posting this today from Norway, back again for my 6th year in a row of NDC Oslo. So as you can see, Svalbard feels like a fitting name 🙂

My Commitments for the Future of HIBP

So what does it mean if HIBP is acquired by another company? In all honesty, I don't know precisely what that will look like so let me just candidly share my thoughts on it as they stand today and there are a few really important points I want to emphasise:

  1. Freely available consumer searches should remain freely available. The service became this successful because I made sure there were no barriers in the way for people searching their data and I absolutely, positively want that to remain the status quo. That's number 1 on the list here for a reason.
  2. I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.
  3. I want to build out much, much more capabilities wise. There's a heap of things I want to do with HIBP which I simply couldn't do on my own. This is a project with enormous potential beyond what it's already achieved and I want to be the guy driving that forward.
  4. I want to reach a much larger audience than I do at present. The numbers are massive as they are, but it's still only a tiny slice of the online community that's learning of their exposure in data breaches.
  5. There's much more that can be done to change consumer behaviour. Credential stuffing, for example, is a massive problem right now and it only exists due to password reuse. I want HIBP to play a much bigger role in changing the behaviour of how people manage their online accounts.
  6. Organisations can benefit much more from HIBP. Following on from the previous point, the services people are using can do a much better job of protecting their customers from this form of attack and data from HIBP can (and for some organisations, already does) play a significant role in that.
  7. There should be more disclosure - and more data. I mentioned earlier how responsible disclosure was massively burdensome and Svalbard gives me the chance to fix that. There's a whole heap of organisations out there that don't know they've been breached simply because I haven't had the bandwidth to deal with it all.

In considering which organisations are best positioned to help me achieve this, there's a solid selection that are at the front of my mind. There's also a bunch that I have enormous respect for but are less well-equipped to help me achieve this. As the process plays out, I'll be working with KPMG to more clearly identify which organisations fit into the first category. As I'm sure you can imagine, there are some very serious discussions to be had: where HIBP would fit into the organisation, how they'd help me achieve those bullet-pointed objectives above and frankly, whether it's the right place for such a valuable service to go. There are also some major personal considerations for me including who I'd feel comfortable working with, the impact on travel and family and, of course, the financial side of the whole thing. I'll be honest - it's equal parts daunting and exciting.

Last week I began contacting each stakeholder that would have an interest in the outcome of Project Svalbard before making it public in this blog post. I explained the drivers behind it and the intention for this exercise to make HIBP not just more sustainable, but also for it to make a much bigger impact on the data breach landscape. This has already led to some really productive discussions with organisations that could help HIBP make a much more positive impact on the industry. There's been a lot of enthusiasm and support for this process which is reassuring.

One question I expect I'll get is "why don't I turn it into a more formal, commercially-centric structure and just hire people?" I've certainly had that opportunity for some time either by funding it myself or via the various VCs that have come knocking over the years. The main reason I decided not to go down that path is that it massively increases my responsibilities at a time where I really need to reduce the burden on me. As of today, I can't just switch off for a week and frankly, if I tried even for a day I'd be worried about missing something important. In time, building up a company myself might allow me to do that but only after investing a substantial amount of time (and money) which is just not something I want to do at this point.

Summary

I'm enormously excited about the potential of Project Svalbard. In those early discussions with other organisations, I'm already starting to see a pattern emerge around better managing the entire data breach ecosystem. Imagine a future where I'm able to source and process much more data, proactively reach out to impacted organisations, guide them through the process of handling the incident, ensure impacted individuals like you and me better understand our exposure (and what to do about it) and ultimately, reduce the impact of data breaches on organisations and consumers alike. And it goes much further than that too because there's a lot more that can be done post-breach, especially to tackle attacks such as the huge rate of credential stuffing we're seeing these days. I'm really happy with what HIBP has been able to do to date, but I've only scratched the surface of potential with it so far.

I've made this decision at a time where I have complete control of the process. I'm not under any duress (not beyond the high workload, that is) and I've got time to let the acquisition search play out organically and allow it to find the best possible match for the project. And as I've always done with HIBP, I'm proceeding with complete transparency by detailing that process here. I'm really conscious of the trust that people have put in me with this service and every single day I'm reminded of the responsibility that brings with it.

HIBP may only be less than 6 years old, but it’s the culmination of a life’s work. I still have these vivid memories stretching back to the mid-90's when I first started building software for the web and had a dream of creating something big; “Isn’t it amazing that I can sit here at home and write code that could have a real impact on the world one day”. I had a few false starts along the way and it took a combination of data breaches, cloud and an independent career that allowed me the opportunity to make HIBP what it is today, but it's finally what I'd always hoped I'd be able to do. Project Svalbard is the realisation of that dream and I'm enormously excited about the opportunities that will come as a result.

Have Fun in the Sun this Summer with the Summer Safety #RT2Win Sweepstakes!

The school year has come to an end, and with it comes the start of summer! For many, this time of year brings excitement and anticipation to jet-set off to their favorite destinations and spend some quality time with family. But while many are soaking up the sun or sharing fun photos online, cybercriminals also trying to target those not taking the proper precautions to protect their data.

In fact, according to recent research by McAfee, only 40% of people are concerned about their personal photos being hacked, and 3x more concerned about their Social Security number being hacked than their photos. Whether booking travel deals or sharing photos on social media, device security should be top of mind to keep information secure this summer.

Whether you’re laying by the pool or dipping your toes in the sand, we want to help you leave your cybersecurity woes behind with our Summer Safety #RT2Win sweepstakes! Two [2] lucky winners of the sweepstakes drawing will receive a $500 Amazon gift card. The best part? Entering is a breeze! Follow the instructions below to enter and good luck!

#RT2Win Sweepstakes Official Rules

  • To enter, follow @McAfee_Home on Twitter and find the #RT2Win sweepstakes tweet.
  • The sweepstakes tweet will be released on Monday, June 10, 2019, at 12:00pm PST. This tweet will include the hashtags: #ProtectWhatMatters, #RT2Win AND #Sweepstakes.
  • Retweet the sweepstakes tweet released on the above date, from your own handle. The #ProtectWhatMatters, #RT2Win AND #Sweepstakes hashtags must be included in order to be entered.
  • Make sure you’re following @McAfee_Home on Twitter! You must follow for your entry to count.
  • Sweepstakes will end on Sunday, June 23, 2019 at 11:59pm PST. All entries must be made before that date and time.
  • Winners will be notified on Tuesday, June 25, 2019 via Twitter direct message.
  • Limit one entry per person.

1. How to Win:

Retweet one of our contest tweets on @McAfee_Home that include “#ProtectWhatMatters, #RT2Win, AND #Sweepstakes” for a chance to win a $500 Amazon gift card (for full prize details please see “Prizes” section below). Two [2] total winners will be selected and announced on June 25, 2019. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

#RT2Win Sweepstakes Terms and Conditions

2. How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee Summer Safety #RT2Win Sweepstakes will be conducted from June 10, 2019 through June 23, 2019. All entries for each day of the McAfee Summer Safety Cybersecurity #RT2Win Sweepstakes must be received during the time allotted for the McAfee Summer Safety #RT2Win Sweepstakes. Pacific Daylight Time shall control the McAfee Summer Safety Shopping #RT2Win Sweepstakes, duration is as follows:

  • Begins: Monday, June 10, 2019­­ at 12:00pm PST
  • Ends: Sunday, June 23, 2019 at 11:59pm PST
  • Two [2] winners will be announced: Tuesday, June 25, 2019

For the McAfee Summer Safety #RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the McAfee Summer Safety #RT2Win Sweepstakes:

  1. Follow @McAfee_Home on Twitter.
  2. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #ProtectWhatMatters, #RT2Win and #Sweepstakes.
  3. Retweet the sweepstakes tweet of the day and make sure it includes the #ProtectWhatMatters, #RT2Win, and hashtags.
  4. Note: Tweets that do not contain the #ProtectWhatMatters, #RT2Win, and #Sweepstakes hashtags will not be considered for entry.
  5. Limit one entry per person.

Two [2] winners will be chosen for the McAfee Summer Safety #RT2Win Sweepstakes tweet from the viable pool of entries that retweeted and included #ProtectWhatMatters, #RT2Win and #Sweepstakes. McAfee and the McAfee social team will choose winners from all the viable entries. The winners will be announced and privately messaged on Tuesday, June 25, 2019 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes.

3. Eligibility: 

McAfee Summer Safety #RT2Win Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the McAfee Summer Safety #RT2Win Sweepstakes begins and live in a jurisdiction where this prize and McAfee Summer Safety #RT2Win Sweepstakes not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

4. Winner Selection:

Winners will be selected at random from all eligible retweets received during the McAfee Summer Safety #RT2Win Sweepstakes drawing entry period. Sponsor will select the names of two [2] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official McAfee Summer Safety #RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

5. Winner Notification: 

Each winner will be notified via direct message (“DM”) on Twitter.com by June 25, 2019. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited, and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

6. Prizes: 

The prize for the McAfee Summer Safety #RT2Win Sweepstakes is a $500 Amazon gift card for each of the two [2] entrants/winners. Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Summer Safety #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Summer Safety #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

Limit one (1) prize per person/household. Prizes are non-transferable, and no cash equivalent or substitution of prize is offered. The McAfee Summer Safety #RT2Win Sweepstakes has no affiliation with Amazon.

7. General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee Summer Safety #RT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the McAfee Summer Safety #RT2Win Sweepstakes. entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the McAfee Summer Safety #RT2Win Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any McAfee Summer Safety #RT2Win Sweepstakes -related activity, or participation in the McAfee Summer Safety #RT2Win Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

8. Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.
  2. Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation. By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

9. Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with the prize McAfee Summer Safety #RT2Win Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each McAfee Summer Safety #RT2Win Sweepstakes.

10. Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Summer Safety #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Summer Safety #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

11. Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of the State of New York, U.S.A.

12. Privacy Policy: 

Personal information obtained in connection with this prize McAfee Summer Safety #RT2Win Sweepstakes will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html.

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after June 10,2019 before June 23, 2019 to the address listed below, Attn: #RT2Win at Summer Safety Sweepstakes. To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Sarah Grayson. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2019 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA
  4. Administrator: LEWIS Pulse, 111 Sutter St., Suiter 850, San Francisco, CA 94104

The post Have Fun in the Sun this Summer with the Summer Safety #RT2Win Sweepstakes! appeared first on McAfee Blogs.

What the AMCA Data Breach Teaches Us About Modern Supply Chain Security

The State of Software Security Volume 9 (SOSS Vol. 9) found that the healthcare industry, with its stringent regulations, received relatively high marks in many of the standard AppSec metrics. According to Veracode scan data, healthcare organizations ranked highest of all industries on OWASP pass rate on latest scan, coming in with a rate just over 55 percent. Our flaw persistence analysis shows that the industry is statistically closing found vulnerabilities far faster than any other sector.

However, the recent American Medical Collection Agency data breach has brought attention to the fact that breaches involving subcontractors and business associates, particularly in the healthcare industry, are on the rise. As both Quest Diagnostics and Laboratory Corporation of America Holdings (LabCorp) have filed 8-Ks with the Security and Exchange Commission (SEC), as many as 11.9 million people may have had their personal and payment information stolen by an unauthorized user.

Earlier this year, Moody’s Investor Service ranked hospitals as one of the sectors most vulnerable to cyberattacks. In a press release, Moody's Managing Director Derek Vadala said, “We view cyber risk as event risk that can have material impact on sectors and individual issuers. Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers' financial profiles and business prospects.”

Ensuring the security of patient data

Healthcare organizations appear to be doing their part to ensure the safety of their patient and customer data. Recently, the Wall Street Journal’s Melanie Evans and Peter Loftus published a story about how hospitals are asking device makers to let them under the hood of their software to look for flaws and vulnerabilities – and opting out of doing business if they’re not granted access. The article cites how, in 2017, NewYork-Presbyterian dropped plans to buy infusion pumps manufactured by Smiths Group PLC after the Department of Homeland Security issued a warning that hackers could take control of pumps (a fix has since been released).

That same year, many hospitals were forced to cancel appointments and surgeries when their operations were stunted by WannaCry and NotPetya cyberattacks – so it’s no wonder hospitals began enlisting the help of cybersecurity pros, including penetration testers.

Evans and Loftus spoke with corporate counsel at Boston Scientific who noted that negotiations with hospitals are more complicated and drawn out than ever before as a result of cybersecurity demands.

Where is the gap in the modern healthcare supply chain?

Given the sensitivity of the data involved, it’s reasonable for hospitals and healthcare IT companies to be more inquisitive. But it’s not just the healthcare-related technologies that they need to look into.

SOSS Vol. 9 shows that the financial industry, while boasting the largest population of applications under test and with a reputation of maintaining some of the most mature AppSec programs, is struggling to meet AppSec standards. The industry ranks second to last in major verticals examined for OWASP pass rate on latest scan, and based on flaw persistence analysis, it’s leaving flaws to linger longer than other industries do.

In order for hospitals and healthcare organizations to ensure the security of those they care for, they need to be able to trust that the third-party vendors and service providers that they enlist to take payments and process claims are taking the appropriate precautions when it comes to software security.

Awareness begets progress

In 2017, Veracode conducted research with YouGov to better understand how well business leaders understood the cybersecurity risks they are introducing to their company as a result of digital transformation and participation in the global economy. What we found was that awareness was low – even following the Equifax breach that occurred that year. The research showed that only 28 percent of respondents had heard of the attack.

Since then, we’ve seen a number of CEOs and other executives paying the price after a breach. Veracode CTO, EMEA, Paul Farrington, said it best:

“Ultimately, this is merely an extension of expectations on the C-Suite when responding to serious events. If CEOs violate environmental, health, or safety standards, they can be fined, and even jailed in many countries. Perfect security is not possible, but with data about our entire lives now being stored and processed by businesses, it is essential that employees and customers alike are afforded a certain standard of cybersecurity. When such standards aren’t met, there out to be accountability at a senior level.”

As healthcare organizations and hospitals are doing an increased level of due diligence before making a purchase or partnering with third parties, we can expect that other industries are likely to follow suit. Executives will begin to add security to their list of priorities, because it will be demanded by the board in an effort to protect their brand and bottom line.

Give your customers confidence that your software is secure

Given that perfect security isn’t possible, organizations should consider reviewing their software development processes to ensure that security is embedded in each stage. One of the reasons that we created Veracode Verified, which helps your organization prove at a glance that you’ve made security a priority, is to help organizations stay ahead of customer and prospect security concerns and speed up sales cycles – without straining limited security resources. The program provides you with a proven roadmap for maturing your application security program, as well as an attestation letter you can share with customers and prospects.

Curious to learn more about how your organization may benefit from Veracode Verified? Have a look at this infographic to get the details.

Don’t Hesitate When Transforming Your Business

Transformation is a popular buzz word in the tech industry. The market is full of companies promising to be the change your business needs to help it transform into the best player in its category. Many companies that have been around for a decade or more believe they’ve already transformed their business numerous times to keep up with the latest technology trends, while newer companies tend to practice business transformation daily to stay competitive. But is business transformation really needed? The answer is yes! However, transformation is an evolutionary process and won’t happen overnight. Organizations need to think about the future and embrace the fact they need to constantly change and move forward.

Transformation is Continuous

A disruptive and groundbreaking company will continually transform alongside its customers, adopting new applications and policies around the cloud, BYOD and more. As these items evolve, companies are confronted with the challenges and risks of change, including securing new endpoints on devices or in the cloud.

As companies evolve and transform to keep up with the latest IT trends, overlooking the security of company data is a common misstep. A recent study by leading IT analyst firm Frost & Sullivan revealed that 83% of APAC organizations don’t think about cybersecurity while embarking on digital transformation projects. Although 72% of the organizations conduct regular breach assessment to protect themselves against cyberattacks, 55% of them were at risk.

A Plan of Action

Companies are predicted to spend $1.7 trillion on digital transformation by the end of 2019, a 42% increase from 2017, according to IDC. With IT budgets at nearly their highest point, it’s time to rethink your transformation strategy and make security a priority.

The cloud is transforming the enterprise, and as a market leader, McAfee is transforming the way businesses secure data in the cloud. We transform the nature of security itself with SaaS (security-as-a-service) consumption models. By partnering with us, organizations can transform confidently, leveraging security solutions purpose-built with transformation in mind, including those that secure every segment of the cloud and heterogenous device environments. McAfee cloud security solutions extend your security from device to cloud with data visibility, data loss prevention, and advanced threat protection on a platform that supports an open ecosystem. Our goal is to make the most secure environment for your business from device to cloud.

As you start your transformation journey, consider the following questions:

  • How is your organization aligned? What are your organization’s goals?
  • What are the biggest/most important strategic initiatives your company has over the next two to four years?
  • What are your current major IT initiatives? Security initiatives? Cloud initiatives?

Looking to transform your business with McAfee? We’re here to help. Use the resources below for more information.

The post Don’t Hesitate When Transforming Your Business appeared first on McAfee Blogs.

Podcast Two Year Anniversary – The Top 10 Episodes

Two years ago on June 9th, 2017 I released the first episode of Security In Five. Here we are two years later, 500+ episodes recorded and no signs of slowing down. The podcast’s longevity and the energy to keep up the dail episode schedule is all because of the listeners and feedback I have received. […]

The post Podcast Two Year Anniversary – The Top 10 Episodes appeared first on Security In Five.