Thousands of wide-eyed spectators around the world were getting ready to watch the Olympics, one of the largest events in the world. Suddenly the main website for the Olympic games goes down. The website was not only informational, but it was also the online ticketing system so in-person spectators couldn’t retrieve tickets. Next, the wi-fi at the games went offline leaving many individuals without connectivity to the outside world. This happened at the 2018 PyeongChang Winter Olympics in South Korea after a successful phishing attack and malware dubbed “Olympic Destroyer” spread through the compromised network. Connectivity was restored within a few hours at the 2018 games. Unfortunately, cyber-attacks are common occurrence at large events. This is why one must SECURE the Games by implementing solid cybersecurity measures.
Olympic Interview
Jon Sternstein, the Founder and CEO of Stern Security was interviewed by Spectrum News before the 2024 Olympic games in Paris to discuss protecting large events. In the interview, Sternstein discussed previous attacks at Olympic games. He discussed how event organizers have their work cut out for them at the games. Finally, he concluded with a mnemonic, SECURE, he uses to educate event attendees for staying protected.
S – Sources: Use only known good sources of information.
E – Enable updates: Keep devices up to date with the latest patches.
C – Caution with links: Be careful about clicking on links.
U – Use official apps: Only use official apps for event information.
R – Restrict network access: Be careful when joining unknown networks.
E – Enable MFA: Enable multi-factor authentication.
To make the best business case for increasing cybersecurity at major events, one must quantify the risk. Disruptions to ticketing systems have a direct financial impact that can be calculated. This is the same with customers asking for refunds because of the inability to retrieve tickets or attend events. Customers losing confidence in the ability for organizers to have a smooth event, may impact future ticket sales as well. A cyber attack that limits the ability for spectators to enter a venue (disrupting ticketing systems, misdirecting individuals, etc…) affects concession sales, merchandise sales, and sponsors at the event. Sponsors may even be less willing to sponsor future events if they lose confidence in the ability for event organizers to pull off a secure event. Cybersecurity teams can use the financial loss data from quantifying cyber risks to receive the. necessary budget and optimize cyber costs at the event.
The CIA Triad and Large Event Security
The core pillars of cybersecurity are Confidentiality, Integrity, and Availability. Large games such as the Super Bowl and the Olympics need to cover all three pillars to have a smooth event.
Confidentiality: It is essential to protect attendee data, athlete/celebrity/VIP data, media/programming content, and secure communications.
Integrity: Ensuring that directions, results, ticketing, broadcasts and aren’t tampered with.
Availability: Keeping official communications, apps, ticketing, payment systems, and broadcasts online.
SECURE Mnemonic for Attendees
Stern Security created the mnemonic, SECURE, to help event attendees have an easy way to remember protective measures.
S – Sources: Event attendees should only use known good sources of information. Use the official webpage for an event to receive the schedule, ticketing information, seating, and transportation information.
E – Enable updates: Keep devices, including phones and laptops, up to date with the latest patches. Attendees and spectators may be targeting by malware and it is essential to keep electronic devices up to date.
C – Caution with links: Always be careful about clicking on links. Criminals will often send spam, phishing emails, or malicious advertisements that target event attendees. Only click on links that are trusted and necessary.
U – Use official apps: When attending an event, only download and use the official app, no matter how tempting other events look..
R – Restrict network access: In-person attendees should be careful when joining unknown networks. There may be many “free wi-fi” networks that may be malicious. Utilize your cellular connection instead of joining wi-fi networks if possible. If a wi-fi network is needed, only connect to the official guest network that is listed on the official event details.
E – Enable MFA: Enabling multi-factor authentication is an absolute necessary security measure to protect your account. Don’t let criminals get into your account and take your expensive tickets.
Quantifying Cyber Risk and ROI with Velocity
Cybersecurity is often viewed as an expense rather than an investment until an incident occurs. Stern Security’s Velocity platform helps organizations move beyond vague cyber plans and ineffective gap assessments by delivering quantifiable metrics, optimizing cyber costs, calculating cyber ROI, and prioritizing protective measures. Use Velocity’s data-driven intelligence to increase security.
Conclusion
As more criminals direct their attention towards large gatherings such as the Olympics and the Super Bowl, cybersecurity professionals must be proactive in their defense efforts. In order to get the needed resources to protect an event, cyber defense teams must quantify risk and show the likelihood and impact of a cyber threat. The SECURE mnemonic can be used by attendees to have an easy way to remember how to protect themselves while attending events. When performed effectively, cybersecurity defense measures will help large-scale events operate without incident.
On November 8th, 2024, the Raleigh ISSA Chapter hosted the Triangle InfoSeCon event, the largest cybersecurity event in North Carolina. Stern Security‘s Founder & CEO, Jon Sternstein gave a presentation titled “Effective Cyber Risk Quantification”.
Cyber risk quantification (CRQ) is often described as the process assessing the likelihood and impact of cybersecurity risks and scoring vulnerabilities or tying risks to financials. In the presentation, Jon Sternstein made the case that CRQ really comes down to translating cyber risk into business terms. Furthermore, the most effective means of quantifying risk can vary drastically between industries, companies, and individual recipients of the message. There are many methods of cyber risk quantification with varying levels of difficulty including, but not limited to, using breach reports to understand likelihood and financial impact, reviewing data breach and data mis-use fines from regulatory bodies, and the FAIR methodology.
The presentation detailed three true cyber risk quantification stories that Jon Sternstein experienced in his career. The first story was about implementing security initiatives in a healthcare organization. While the initial strategy had great reasons for deploying the various initiatives, they gained the most traction when the risks were tied to financial terms that the executives connected with. The breach numbers from the Ponemon report were used as a basis for the cyber risk quantification.
The second story involved a manufacturing company where the executives were not as concerned with the cost of records lost, but they were very concerned with the amount of downtime that the manufacturing plant could have experienced with a cyber incident.
The Stern Security presentation discussed how cyber risk quantification often tends to be focused on the “confidentiality” of data as a basis. However, there are three pillars of cybersecurity: Confidentiality, Integrity, and Availability. Cyber Risk Quantification should focus on all three pillars and certain pillars may be more important for certain industries or companies.
The final story involved quantifying the risk of a romance scam where the victim lost thousands of dollars. Simply stating that it was a scam had minimal impact on the victim during the incident, but discussing the dollars lost over time and the personal information exposed had the most impact.
Cyber Risk Quantification (CRQ) is essential for getting cybersecurity initiatives deployed and for adding the most value to an organization. As The Stern Security presentation stated, Cyber Risk Quantification is really the process of translating cyber risk into language that the business understands. Cybersecurity leaders should understand the priorities of the individuals who they are presenting to in order to quantify cyber risk accordingly and get strategies and budgets approved.
In 2023, Progress Software’s MOVEit file transfer application was the source of a dangerous zero-day vulnerability. Criminals that exploited this vulnerability were able to gain full access to the files on MOVEit servers. The research from Stern Security’s 2024 healthcare breach report showed that this MOVEit breach was the cause of 25.9% of the protected health information (PHI) lost last year. Quantifying the MOVEit 0-day’s impact on healthcare is essential to understanding the full extent of this vulnerability.
MOVEit Incident
Progress Software announced the critical vulnerability in their MOVEit software on May 31, 2023. Unfortunately, there was evidence that this vulnerability was already exploited by at least May 27, 2023. Eventually the Cl0p ransomware group claimed responsibility for this incident. The first healthcare breach due to the MOVEit 0-day was announced on June 11, 2023, and the last was on December 8, 2023. According to the 2024 Ponemon Data Breach report, the average number of days to discover a data breach was 258 days which makes it easier to understand why healthcare MOVEit breaches were still being reported so late in the year (192 days later).
Quantifying the Impact
By the end of the 2023, there were 42 healthcare breaches attributed to the MOVEit vulnerability. Thirty-one (31) of these breaches were from third-parties (business associates of the healthcare organization) and eleven (11) occurred at covered entity locations (healthcare organizations). These 42 breaches resulted in the exposure of 41,380,105 protected health information (PHI) records. While there were 708 total reported healthcare breaches last year, the 42 MOVEit breaches accounted for 25.9% of the PHI exposed!
Third-parties have a significant impact on breach costs. According to the 2024 Ponemon Breach Report, a third-party breach increases the breach cost by an average of $240,599. In 2023, most (73.8%) of the healthcare MOVEit breaches lost were from a third-party!
To quantify this impact, we will multiply the average breach cost in healthcare ($9,770,000) and 42 breaches attributed to this incident to get $410,430,000.
42 breaches x 9,770,000 = $410,340,000
The results show us that the MOVEit breach cost an estimated $410 million in losses! To put this number in prospective, this is roughly the amount that FEMA (Federal Emergency Management Agency) allocated to Puerto Rico’s recovery efforts from Hurricane Maria ($412 million). While this was a digital disaster as opposed to a natural disaster, the dollars figures were comparable.
Solutions to Reduce Risk
There are numerous protective measures that organizations can do to reduce the risk of another “MOVEit” incident.
Risk Analysis – Every organization should perform a thorough risk analysis to understand the organization’s susceptibility to the latest threats.
Patching – Immediately patch critical vulnerabilities, especially if the assets are exposed or contain sensitive information. In the case of MOVEit systems, these file transfer servers are generally exposed to the internet so immediately patching a critical flaw is essential.
Minimize Data – Organizations should only store the data necessary to complete their tasks. Once the data is no longer needed, secure store or dispose of the data. On file transfer servers such as MOVEit, organizations should immediately remove the transferred data after the use. The MOVEit servers should not be treated similar to file storage systems that permanently store data.
Penetration Testing – Controls should be tested for effectiveness in comprehensive penetration testing engagements.
Vulnerability Scanning – Vulnerability scanners should discover unpatched systems. Externally exposed systems such as file transfer servers should be scanned more frequently.
Limit Access – If a server does not need to be accessible to the entire internet, then limit access to the necessary sources and destinations. Firewall rules can greatly reduce the threat exposure of a system.
Third-Party Risk Management (TPRM)– Most of the MOVEit breaches involved third parties. It is critical to perform accurate third-party risk management especially if your third-parties have access to sensitive data such as Protected Health Information (PHI).
Conclusion
The MOVEit 0-day vulnerability was one of the most impactful vulnerabilities of all time. It cost the healthcare industry an estimated $410 million and exposed 41,380,105 protected health information (PHI) records. The financial impact is similar to the amount that FEMA allocated to Puerto Rico’s recovery efforts from Hurricane Maria. Performing cyber risk quantification on incidents provides the opportunity to show business impact in financial terms which is of the upmost importance to leadership. Utilizing quantifiable data can help organizations obtain the resources needed to protect their organizations.
Bibliography
Cost of a Data Breach Report 2024. (2024). Retrieved from IBM.com: https://www.ibm.com/reports/data-breach
FEMA Awards More than $412 Million in Additional Federal Grants for Puerto Rico. (2018, September 12). Retrieved from FEMA.gov: https://www.fema.gov/press-release/20230502/fema-awards-more-412-million-additional-federal-grants-puerto-rico
In its third annual healthcare data breach report, Stern Security has critically analyzed over 5,900 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive 2024 Velocity Healthcare Data Breach Report. Stern Security augmented the HHS data by investigating every breach in 2023 to fully understand the cause of the incident.
This report shows critical insights into healthcare breach trends over the past 14 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to the MOVEit file transfer software vulnerability. Review the report to see the significant impact that the MOVEit 0-day had on the healthcare industry. Once again, multiple breach milestones were set with more healthcare breaches occurring and more records exposed in 2023 than any previous year. This report puts forth the detailed analysis.
We sincerely thank our sponsors, Trend Micro and the Raleigh ISSA Chapter, whose contributions enable the ongoing pursuit of this important research and the free sharing of our findings.
Report
The full 2024 Velocity Healthcare Data Breach Report can be downloaded below.
If you enjoy the report below and would like to be informed of future reports and research, please fill out the mailing list info below. Don’t worry – we don’t send many emails.
System and Organization Control (SOC) reports have quickly become a standard request for SaaS application providers in order for customers to perform a security due diligence review. So, are all SOC reports the same? No! Should you read the SOC report? Absolutely! How should you properly review a SOC report? Read on 🙂
Background
SOC audits are only performed by a Certified Public Accountant (CPA) firm in accordance with the American Institute of Certified Public Accountants (AICPA) guidelines. The point of the examination is to measure the effectiveness of an organization’s controls and safeguards by an independent third party.
SOC Report Types
There are several types of SOC Reports as seen in the table below. The most often requested is the SOC 2 Type II as it covers a range of trust criteria and is an examination of controls over a period of time.
Type
Time Period
Details
SOC 1 Type I
Point in Time examination
Examines internal controls for financial reporting.
SOC 1 Type II
Examination over a period of time
Examines internal controls for financial reporting.
SOC 2 Type I
Point in Time examination
Examines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 Type II
Examination over a period of time
Examines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 3
Public facing report that is much less detailed and is used for marketing or public distribution. Less detailed version of a SOC 2 Type II.
Reviewing the SOC 2 Report
While all SOC reports generally have the same format, they vary in thoroughness depending on the auditing firm. Additionally, these examinations are not pass/fail and should be reviewed to fully understand the controls in place within an organization. The examinations cover controls that are in place for the trust criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) that the customer chooses to be examined on. The auditor chooses a list of controls within audit categories to include for the examination. SOC reports can be over 100 pages long and the following are some areas that a reviewer should focus on.
Company and Scope
It may sound obvious, but a reviewer must ensure that the SOC 2 Type II report is for the solution’s company and solution. There are many times where Software as a Service (SaaS) companies give customers a SOC report for a cloud hosting provider (ex. AWS or Azure) because that’s where the solution is hosted. Unfortunately, the hosting provider SOC reports do not cover these SaaS solutions. Instead, the SaaS solutions should have their own SOC reports.
SOC Report Type
As explained above, there are different types of SOC reports. The SOC 2 Type II is the strongest and is frequently requested.
Trust Criteria
Companies select which trust criteria they want the examination to cover. The options are the following: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most examinations include at least the Security trust criteria. It is important that the reviewer knows which trust criteria is included and if the auditor states that the trust criteria is met.
Audit Period
SOC 2 Type II reports are examinations of controls over a specific audit period. A reviewer should ensure that the audit period is recent.
Complementary User Entity Controls (CUECs)
SOC reports have a section titled “Complementary User Entity Controls” or CUECs. These are controls that the company states that the customer is responsible for. It is incredibly important that the customer understands what responsibilities the solution provider is putting back on them.
Audit Exceptions & Managers Response
While the audit is not pass/fail, the auditor does state whether certain controls were not present. These are usually listed as “exceptions” in a large table of controls that were reviewed during the examination. If there are any exceptions, the company can provide their explanation in a “Manager’s Response” section at the end of the report. For example, if an audit discovers that an employee’s access was not terminated immediately after dismissal, the company can respond by saying they now have procedures in place to immediately disable access upon any termination.
Audit Detail
Every audit firm is different, and some may perform more comprehensive audits than others. While it can be tough to determine the strength of an audit, a reviewer should read the entire report to understand the level of scrutiny that was performed. For example, a reviewer could see if the auditor reviewed penetration testing reports and see any details that the auditor provided around that control. A company can obtain a SOC report without having great security in place. The auditors should have the expert knowledge to conduct the examination per the specified trust criteria, but unfortunately this is not always the case.
How Can I Automate the Review of a SOC Report?
We get it, you’re busy and often do not have time to thoroughly review a SOC report. While Security professionals are often the individuals responsible for reviewing these reports, this process is not what they were trained for, nor should they have to prioritize these reviews over more pressing cybersecurity tasks. Thankfully there is a solution for this. Stern Security’s Velocity product has automated this entire SOC 2 report review process. Instead of spending an hour reviewing the 100+ page report, Velocity analyzes it for you, outputs a summary, and highlights any areas of concern. This is why Velocity is often called “A CISOs Best Friend”. Velocity helps security professionals utilize their time much more efficiently. Sign up for Velocity and start automating these SOC report reviews today.
Conclusion
All SOC reports are different, and each should be thoroughly reviewed to understand coverage, compliance, and areas of concern. Companies can obtain a SOC report without having great security in place. Velocity can automate the SOC report review process in order to make teams more efficient and effective.