Over the past year, news outlets have been buzzing about Facebook, now called “Meta”, collecting vast amounts of data from healthcare organizations and tax return companies. Some of these companies are announcing breaches as a result of this data collection.
Why are Companies Sending Sensitive Data to Facebook?
Let’s be clear – Companies are not trying to send their sensitive information to Facebook. Companies are NOT going to Facebook.com and uploading their customer information. Instead, Facebook is collecting this information via web tracker software that they offer to companies for free to monitor website visitor behavior. Companies invest a lot of resources in their websites to ensure their customers get the best value and can easily navigate their offerings. In order to see how customers interact with their websites, companies install web trackers to monitor button clicks, visitor statistics, navigation errors, and more. Most websites have a method of logging user behavior using trackers that are generally hidden from the website visitor. A couple of the many website trackers include Facebook’s Meta Pixel and Google Analytics. Companies are using it to track basic website visitor information and often times they do not realize that Facebook may be collecting sensitive information.
What is Meta Pixel?
Meta Pixel is Facebook’s web tracker software. Facebook’s Meta Pixel is popular, easy to use, and it’s free. Any company can download the code, install it on their website, and instantly see information about website visitors. Companies can log into a dashboard showing daily website visitor statistics.
Is a Vulnerability in the Meta Pixel Software Causing the “Breach”?
There is no known vulnerability in the Meta Pixel software that is causing the breaches. Instead, companies are announcing breaches because Facebook is not supposed to receive sensitive information. Since Meta Pixel is collecting more information than intended, and Facebook was not authorized to have access to this information, companies are listed it as a breach or a privacy violation.
What Companies are Affected?
The Markup news outlet wrote an investigative report about a number of hospitals that had the Meta Pixel code on their website and their patient protected portals (Feathers, Fondrie-Teitler, Waller, & Mattu, 2022). Some of the affected hospitals immediately removed the Meta pixel software when they realized that it could collect more information than intended. The Markup released another report showing how tax filing websites were sending sensitive tax payer information to Facebook by the same Meta Pixel software (Fondrie-Teitler, Waller, & Lecher, 2022). While the healthcare and financial industries are in the news for these issues, the website tracker breaches surely affect many industries as the Facebook Meta Pixel code is installed on millions of websites.
How is Meta using the Data?
It is unclear how Meta is using the collected data. Facebook itself may not know what it does with this data according to a Vice report based on a leaked internal Facebook memo (Franceschi-Bicchierai, 2022). In the leaked memo, a Facebook engineer stated “We do not have an adequate level of control and explainability [sic] over how our systems use data”.
Number of Individuals Affected
According to the 2023 Velocity Healthcare Breach Report, in the healthcare industry alone, over 6,000,000 medical records were affected in 2022. The affected tax filing companies have millions of customers. The number of affected individuals is most likely much higher and continues to grow as more companies announce that they had the Meta Pixel software on their websites.
What Can Companies do to Prevent this in the Future?
Companies should thoroughly investigate all web trackers to determine how data is utilized before placing the code in production environments. Many companies have methods to perform security evaluations on new third-parties as they go through the procurements system, but this scrutiny is not usually applied to free software such as Meta Pixel or Google Analytics. Companies should ensure that any code changes go through a Software Development Lifecycle (SDLC) that includes a security analysis.
How can Stern Security Help?
Our cybersecurity services team has extensive experience analyzing web trackers and the data that they send outside a customer environment. Additionally, Stern Security’s Velocity application can be used to get your third-party risk management program in order and evaluate vendor solutions for cybersecurity and privacy problems.
Works Cited
Feathers, T., Fondrie-Teitler, S., Waller, A., & Mattu, S. (2022, July 19). Facebook Is Receiving Sensitive Medical Information from Hospital Websites. Retrieved from The Markup: https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites
Fondrie-Teitler, S., Waller, A., & Lecher, C. (2022, November 28). The Markup. Retrieved from Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook: https://themarkup.org/pixel-hunt/2022/11/22/tax-filing-websites-have-been-sending-users-financial-information-to-facebook
Franceschi-Bicchierai, L. (2022, April 26). Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document. Retrieved from Vice: https://www.vice.com/en/article/akvmke/facebook-doesnt-know-what-it-does-with-your-data-or-where-it-goes
In its first annual healthcare data breach report, Stern Security has critically analyzed over 4,000 data breaches since the Department of Health and Human Services began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from Health and Human Services to create this comprehensive report.
This report shows thought-provoking insights into healthcare breach trends over the past 12 years. It covers everything from the number of breaches attributed to ransomware to third-party (business associate) breaches. More healthcare breaches occurred in 2021 than any other year and this report illustrates the detailed analysis.
Our company mission is to “Secure the Planet”. This means that we aim to provide education and solutions that any company in the world can use to reduce cyber risk. Our flagship product, Velocity, is a web application (SaaS product) which companies can use to evaluate their own cybersecurity posture as well as to evaluate cyber risks in all of their third-party vendors. While we strive to have fair pricing and various levels that companies of any size can subscribe to, it’s clear that some organizations simply do not have funds budgeted to spend on cybersecurity or to try new products. We’re moving Velocity to a freemium model so any company can measure their baseline security posture for free.
Details
If we’re serious about securing the planet and providing solutions for all organizations regardless of size and budget, we needed to expand our offerings. From my many years working in the cybersecurity industry, both on the customer side and the consulting side, I know that many organizations do not evaluate their security posture at all. Many of those that do, still measure their security posture using an inefficient, often inaccurate, spreadsheet approach. They list every cybersecurity measure that they should be doing in one column and then they state whether they are completing the task or not in another column. It’s easy, but inefficient, painful to manage, difficult to track progress, and tough to update. Velocity eliminates the need for spreadsheets to measure internal risk with these known frameworks. The free version of Velocity is an easy and economical tool for any company in the world to measure their cyber security posture.
What is included?
In the free version of Velocity, companies can evaluate their own security posture using any of several frameworks. Additionally, companies receive access to dashboards that give critical insight into their security posture. As an added benefit, companies eliminate the use of inefficient spreadsheets to evaluate risk. The frameworks that are included in the free version of Velocity are as follows:
CISA Shields Up – To address increased risk due to Russia’s invasion of Ukraine, the Cybersecurity & Infrastructure Security Agency (CISA) released security guidance for organizations. This free valuable guidance is built into Velocity. We will continue to update this significant resource on Velocity as the guidance updates and transforms.
CMMC 2.0 Level 1 – In late 2021, the Department of Defense (DoD) released CMMC 2.0 which is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). There are three levels within this model and most defense contractors will need to adhere to Level 1. Organizations can evaluate their compliance with Level 1 CMMC 2.0 for free within Velocity. The smaller subset of organizations that access more classified information can pay for a Velocity subscription to evaluate their compliance with the higher levels within this framework. Our company pays to have certified CMMC staff. For more information on CMMC, please review our latest article on the subject: https://www.sternsecurity.com/blog/cmmc-2-0-program-update/
CIS v8 Group 1 – The Center for Internet Security (CIS) has a well-known list of cybersecurity controls that are recommended for all organizations. The latest version (v8 as of this writing) splits the security framework into three groups depending on the size and cybersecurity maturity of the organization. The free version of Velocity includes the first group, Implementation Group 1. Organizations looking to evaluate their maturity with Groups 2 and 3 can upgrade to a paid subscription within Velocity. Our company pays an annual license fee to utilize this security framework.
How do we pay for this?
We have to pay for this somehow as we definitely cannot help secure the planet if we don’t have the funds to run our product. While several frameworks (or parts of frameworks) are free, we have over 10 other major security and compliance frameworks that companies can pay a subscription for. We continue to add more frameworks. We pay subscription fees which we pass on to companies who subscribe to additional features within Velocity. Additionally, we charge companies to evaluate the security posture of their vendors. While utilizing the free version, there is an easy path to upgrade to a paid subscription to utilize other frameworks or evaluate vendors.
I’m incredibly excited to announce our freemium version of Velocity. This is the result of months of hard work from an amazing team. We are so proud of the result and what it can do for the world. Now that Velocity is offering this freemium model, we see a clear path to making our motto “Secure the Planet” a reality. Velocity is not going to solve every cybersecurity problem, but it does give organizations actionable items they can perform to reduce risk. Now any company in the world can measure their baseline security for free on a beautiful web interface.
Not all vulnerability scans are created equal. The configuration of a vulnerability scan makes an enormous impact on your results. Authenticated vulnerability scans will provide much greater insight into an organization’s security posture than unauthenticated scans. However, there is a place for unauthenticated vulnerability scans. This article discusses the differences between authenticated and unauthenticated vulnerability scans and when you should use each.
What are Vulnerability Scans?
Vulnerability scans are an automated process for searching devices for vulnerabilities. Vulnerability scanners are the applications or devices that perform the scans.
What are Authenticated Scans?
Authenticated scans are sometimes called “credentialed scans”. “Credentials” refers to a valid account for a system. So credentialed scans, or authenticated scans, are vulnerability scans that utilize valid accounts (username + password) to log into target systems.
Why Perform Authenticated Scans?
Imagine trying to determine if a house has a pest problem by only looking at the outside of the house. Sure, you may be able to see evidence of a pest problem, but you’ll definitely know there is a problem if you go inside. Unauthenticated scans are similar to the outside view only. Authenticated scans are similar to having the keys to the house and looking inside for problems. With an authenticated vulnerability scan, the vulnerability scanner logs into the device and performs detailed checks on the system patch level, permissions, installed applications, and more.
Scanning from Inside or Outside the Network
Scanning from the internet gives you a view of your publicly accessible devices. It’s a good idea to scan from the outside to see what is available. These external scans are often performed as unauthenticated scans to see how others see your devices from the internet. However, it is still a good idea to scan these same devices from the inside as authenticated scans to get a more comprehensive view of the vulnerabilities on the system. Additionally, internal resources should be scanned from the internal network as authenticated scans.
SNMP vs SSH Vulnerability Scans
When performing authenticated vulnerability scans on network devices or Linux systems, you often have the choice of utilizing SNMP (Simple Network Management Protocol) or SSH (Secure Shell). Usually, SSH credentialed scans give you more comprehensive results, but it really comes down to the permissions that are given to the credentials that you are utilizing.
Should I Choose Authenticated or Unauthenticated Vulnerability Scans?
Authenticated vulnerability scans give you a more comprehensive view of the vulnerabilities within your environment. If you have a choice, perform authenticated vulnerability scans. If you are performing external scans, it is common to performing these as unauthenticated scans, but you should still scan these same devices from the inside of the network as authenticated scans.
What Account Should be Used for Authenticated Scanning?
You should use a dedicated account with escalated privileges. This account should be limited to the vulnerability scanning process and should not have the ability to use VPN, RDP, or other tasks not associated with vulnerability scanning. This dedicated account should have a long random password with at least 20 characters. In penetration tests, our team has compromised vulnerability scanner accounts that had weak passwords and were not limited to the scanning process on the network.
How Often Should Vulnerability Scans be Performed?
The Center for Internet Security (CIS) version 8 Guide states that automated internal vulnerability scans should be performed on assets at least quarterly. This guide also recommends that external scans are performed at least monthly.
Should I Also Scan Internal Vendor Devices?
All of your internal assets should be scanned unless they are known to have problems with scanning. As part of your Third-Party Risk Management (TPRM) process, your organization should work with vendors to determine if their assets on your network can be scanned. These vendor devices should be scanned before placing them in production and then on a regular basis thereafter.
Are there any Devices that Shouldn’t be Scanned?
Some devices that are known to crash with vulnerability scans include: VOIP systems, printers, some medical devices, and certain SCADA (Supervisory Control and Data Acquisition) systems. Always scan in a non-production environment if you’re not sure about the stability of the system and consult with the vendor as necessary. Systems that cannot be scanned should be segmented on the network.
Conclusion
You will most likely perform both authenticated and unauthenticated scanning in your vulnerability management program. Each scan type has different uses, but authenticated scanning provides a more comprehensive analysis of a system.
The hospital was struggling to manually review hundreds of vendor (business associate) solutions which was causing delays in large projects. The security team tried hiring a third-party risk management service to offload the vendor reviews, but the results were greatly inaccurate.
At the same time, the hospital was trying to measure their internal security posture using CIS, NIST CSF, and the HIPAA Security Rule through spreadsheets. The spreadsheets only provided point-in-time reviews, could not be easily shared, collaboration was difficult, and the security frameworks could not be easily updated on the spreadsheet.
To address both the vendor and internal risk measurement problems, this hospital decided to use the Velocity SaaS solution by Stern Security.
An Industry Problem
The growing risk management issues that the hospital was experiencing are common across all industries. Companies often initially try to address the vendor risk issue manually by sending spreadsheet questionnaires to vendors. However, this process incredibly time consuming. They have to manage the questionnaires, send and retrieve from vendors, review the responses, have meetings about the risks, and create reports. This process can take months to complete for a single vendor. Ideally, the customer would complete this every year for a vendor, but very few organizations have the bandwidth to accomplish anything close.
Many companies try to outsource the vendor risk management work to a service provider or purchase a product to complete the task. Unfortunately, most of the results from these solutions are inaccurate. Even fewer solutions address both internal and vendor risk.
Velocity prioritizes accuracy
After limited success with the manual approach and other products, this hospital found their ideal solution with Velocity.
Solution
Onboarding with Velocity took the hospital one hour with most of the time spent on training. The hospital quickly replaced the spreadsheet used to measure internal risk and saw immediate results. Instead of using an outdated version of the CIS framework, the hospital could use the latest version with Velocity. The hospital also received a prioritized list of items to work on to increase security posture. Additionally, when the hospital fixed an item on the list, they could see their security posture improve.
Customer employees became rockstars with Velocity
The hospital also made rapid improvements on their vendor risk management process. Instead of sending the standard security questionnaire to vendors, the hospital sent invitations from the Velocity platform and let the product do all of the work. The hospital received detailed security reports for their vendors within ¼ of the time. Hospital cybersecurity staff that was originally tasked with performing these vendor security reviews, could now spend their time on other tasks while directing more vendors through Velocity than they could ever before. Velocity greatly sped up the hospital’s vendor security review process which made the entire project evaluation process more efficient. Additionally, Velocity increased accuracy, and saved the hospital valuable funds. Velocity added such value to the hospital that they renewed their subscription the following year.
