The week in security: Healthcare breach prompts govt security response

Tax giant HR Block took a big step with the implementation of a new staff-onboarding system that uses a secure identity framework to confirm identity, while US shipping company United Parcel Service (UPS) was trying to confirm some other identities after its UPS Store subsidiary was hit with a security breach that saw malware loaded on systems in 51 stores.

Analysis of a 300Gbps DDoS attack earlier this year found that hackers managed to pull it off by exploiting an obscure motherboard-level flaw, while two US supermarket chains were hacked through less esoteric means. News reports suggested Foreign Minister Julie Bishop's mobile was hacked while she was liaising with overseas peers to discuss the shooting down of flight MH17, while Chinese hackers broke into the systems of major US hospital operator Community Health Systems and stole data on 4.5 million patients.

That compromise prompted the inevitable analyses suggesting that healthcare organisations are too lax on data security,while others said the breach was due to an attack on a Heartbleed flaw. Either way, the breach prompted US government agencies to commit to a faster response and better information sharing with healthcare organisations.

Indeed, data breaches accounted for the loss of data on 7 million credit and debit cards since 2011 in the UK alone. Mobile, social and cloud services may not be helping the situation, given new Gartner figures that suggest their adoption is driving a large boost in security spending; there are already signs that apps can be abused to make expensive phone calls without users' knowledge. Little wonder a team of researchers is undergoing the not insignificant task of building a security framework for the Android mobile operating system that uses a modular design to ensure new technologies can be delivered faster and more smoothly than ever.

Such attacks pose great promise for startup companies like GuardiCore – which is working to fight ambush attacks on software-defined networking and virtual machine networks – and SentinelOne, which is taking a new approach to behaviour-based malware detection.

For its part, smart-cities supplier Silver Spring Networks is working to bake in the security that was lacking in previous industrial systems. Yet with even workers at a US nuclear regulatory authority proving vulnerable to deception by phishers, and existing ransomware upgraded with an improved password stealer, infrastructure providers are far from being out of the wilderness.

One security organisation has answered this by appointing its own Chief Trust Officer, adding yet another new wrinkle in the time-honoured CxO lineup.

Feeling better? Not necessarily, since not everybody seems to be getting the trust message. After all, it's not only the malicious hackers who are stealing data: a US senator has been asking airlines about their data-privacy practices, expressing concern at the extent of data sharing with third parties.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful cybersecurity companies