Following a publicized breach at the US Postal Service, that organization is discontinuing virtual private network (VPN) connections into its network, according to reports. The Postal Service took the unusual step after acknowledging, earlier this week, that a breach of their network security exposed data on 800,000 employees and 2.9 million customers. According to a statement from a USPS spokesman to the online publication Dark Reading, the virtual private network (VPN) service for postal employees was taken down this weekend and will not be brought back up until a version with more “robust security features can be installed.” “As a result, telecommuting has been suspended until further notice,” he said. Remote access tools including VPNs and remote desktop applications like Citrix are a frequent source of compromises of corporate networks. Most recently, compromised employee systems are believed to be the source of an attack on JP Morgan’s network. VPN software that was vulnerable to the […]
Search Results for "healthcare"
Refrigerator Spam And Other Tall Tales: The Enterprise IoT Risk
On Thursday, I will chair an excellent discussion of security and the Internet of Things at the Qualys Security Conference (QSC) in Las Vegas. The discussion has the working title “Refrigerator Spam and Other Tall Tales: Assessing the Real Internet of Things Risk for Your Organization.“ As the title suggests, we’ll be disclaiming the FUD (fear, uncertainty and doubt) that surrounds much of the IoT and security space, while also highlighting the real risks that more and diverse connected devices pose to enterprises. I’ll be joined on stage by some truly exceptional minds. Among them: Danny McPherson, the Senior Vice President and Chief Security Officer at Verisign and Jonathan Trull, Chief Information Security Officer, Qualys. (Jon was our guest at the first Security Ledger/Invincea CISO hangout last week.). On stage with us will be Chris Rezendes, the President of INEX Advisors and one of our moderators at The Security of Things Forum. We’ll also be joined […]
FDA Issues Guidance on Security of Medical Devices
The U.S. Food and Drug Administration (FDA) issued final guidance on Wednesday that are designed to strengthen the safety of medical devices. The FDA called on medical device manufacturers to consider cyber security risks as part of the design and development of devices. The document, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” asks device makers to submit documentation to the FDA about any “risks identified and controls in place to mitigate those risks” in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run. The document, which will be released on Thursday, does not contain specific requirements. Rather, it describes the kinds of things that medical device manufacturers should consider when preparing pre-market submissions for medical devices in areas such as information confidentiality, integrity, and availability, the FDA said. The release of the document follows the […]
FDA Seeks Collaboration on Medical Device Security
The U.S. Food and Drug Administration (FDA) on Tuesday put out a call for ideas and input on how best to secure medical devices and the healthcare system from cyber attack. In a federal notice, the FDA announced that it will hold an October workshop entitled “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.” It also solicited input from stakeholders within the government and from the public health sector on medical device and healthcare cyber security. The workshop is scheduled for October 21 and 22 and will run from 9:00 AM to 5:00PM at the National Intellectual Property Rights Coordination Center Auditorium in Arlington, Virginia. [Read more Security Ledger coverage of connected medical devices here.] The Department of Health and Human Services (HHS) is looking for ideas about how best to implement aspects of both Executive Order 13636 for“Improving Critical Infrastructure” and follow-on guidance like the National Institute of Standards and Technology’s (NIST’s) “Framework for Improving […]
Report: Community Health Hack Linked To Heartbleed OpenSSL Hole
The security firm TrustedSec said in a blog post on Tuesday that a recent hack of the healthcare network Community Health Services was the result of an attack on the so-called “Heartbleed” vulnerability in OpenSSL. According to TrustedSec, attackers targeted vulnerable VPN (virtual private network) software from Juniper networks in a breach that affected an estimated 4.5 million patients. TrustedSec cited a “trusted and anonymous source close to the CHS investigation” in its blog post. It said attackers were able to glean user credentials from memory on a CHS Juniper device by exploiting the Heartbleed vulnerability. Those credentials were used to login via the VPN to CHS’s network, then move laterally to the servers containing the patient data. [Read more Security Ledger coverage of the Heartbleed vulnerability here.] A separate report by Bloomberg attributed the attack to hackers in China, though it did not provide any evidence linking the attackers to a specific Chinese […]
