Hacking Scandinavian Alcohol Tax

Read Time:58 Second

The islands of Åland are an important tax hack:

Although Åland is part of the Republic of Finland, it has its own autonomous parliament. In areas where Åland has its own legislation, the group of islands essentially operates as an independent nation.

This allows Scandinavians to avoid the notoriously high alcohol taxes:

Åland is a member of the EU and its currency is the euro, but Åland’s relationship with the EU is regulated by way of a special protocol. In order to maintain the important sale of duty-free goods on ferries operating between Finland and Sweden, Åland is not part of the EU’s VAT area.

Basically, ferries between the two countries stop at the island, and people stock up—I mean really stock up, hand trucks piled with boxes—on tax-free alcohol. Åland gets the revenue, and presumably docking fees.

The purpose of the special status of the Åland Islands was to maintain the right to tax free sales in the ship traffic. The ship traffic is of vital importance for the province’s communication, and the intention was to support the economy of the province this way.

Read More

USN-6457-1: Node.js vulnerabilities

Read Time:51 Second

Tavis Ormandy discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2022-0778)

Elison Niven discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-1292)

Chancen and Daniel Fiala discovered that Node.js incorrectly handled certain
inputs. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-2068)

Alex Chernyakhovsky discovered that Node.js incorrectly handled certain
inputs. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-2097)

Read More

Healthcare – Navigating your path to cyber wellness

Read Time:4 Minute, 21 Second

The healthcare industry is progressing towards a more mature cybersecurity posture. However,  given it remains a popular attack target, more attention is needed. Results from The Cost of a Data Breach Report 2023 reported that healthcare has had the highest industry cost of breach for 13 consecutive years, to the tune of $10.93M.   In 2022, the top 35 global security breaches exposed 1.2 billion records, and 34% of those attacks hit the public sector and healthcare organizations.

Regulators have responded by requiring more guidance to the healthcare industry. The Cybersecurity Act of 2015 (CSA), Section 405(d),   Aligning Health Care Industry Security Approaches, is the government’s response to increase collaboration on healthcare industry security practices. Lead by HHS, the 405(d) Program’s mission is to provide resources and tools to educate, drive behavioral change, and provide cybersecurity best practices to strengthen the industry’s cybersecurity posture.  

Additionally, Section 13412 of the HITECH Act was amended in January 2022 that requires that HHS take “Recognized Security Practices” into account in specific HIPAA Security Rule enforcement and audit activities when a HIPAA-regulated entity is able to demonstrate Recognized Security Practices have been in place continuously for the 12 months prior to a security incident. This voluntary program is not a safe harbor, but could help mitigate fines and agreement remedies and reduce the time and extent for audits.  

The Recognized Security Practices

Recognized Security Practices are standards, guidelines, best practices, methodologies, procedures, and processes developed under:

The National Institute of Standards and Technology (NIST) Cybersecurity Framework
Section 405(d) of the Cybersecurity Act of 2015, or
Other programs that address cybersecurity that are explicitly recognized by statute or regulation

It is apparent that healthcare organizations are being guided and even incentivized to follow a programmatic approach to cybersecurity and adopt a recognized framework.  

How can a cybersecurity framework help? 

By creating a common language:  Adopting a cybersecurity framework and developing a strategy to implement it allows key stakeholders to start speaking a common language to address and manage cybersecurity risks. The strategy will align business, IT, and security objectives. The framework is leveraged as a mechanism in which to implement the cybersecurity strategy across the organization, which will be monitored, progress and budget reported upon to senior leaders and the board,  communication, and synergies with control owners and staff. Individual users and senior executives will start to speak a common cybersecurity language, which is the first step to creating a cyber risk-aware culture. 

By sustaining compliance:   Adherence to a cybersecurity framework ensures that healthcare organizations comply with relevant regulations and industry standards, such as HIPAA. Compliance can help organizations avoid legal penalties, financial losses, and reputational damage.

By improving cybersecurity risk management practices:  The core of implementing cybersecurity risk management is understanding the most valuable assets to the organization so that appropriate safeguards can be implemented based upon the threats. A key challenge to the healthcare industry’s cybersecurity posture is knowing what data needs to be protected and where that data is. Accepted frameworks are built on sound risk management principles. 

By increasing resilience:  Cyberattacks can disrupt critical healthcare services and can be costly, with expenses related to incident response, system recovery, and legal liabilities. Adopting a cybersecurity framework can help organizations minimize the financial impact of a breach or attack by improving their incident response capabilities, minimizing the impact of the breach, and recovering more quickly. 

By demonstrating trust:  Patients entrust their personal and medical information to healthcare providers. Implementing a cybersecurity framework demonstrates a commitment to safeguarding that information and maintaining patient trust.

The bottom line is that adopting a cybersecurity framework helps to protect sensitive data, maintain business continuity, preserve the organization’s reputation, minimize the potential impact of attacks, and create transparency in cybersecurity practices, ultimately resulting in a cyber risk-aware culture. 

Sounds beneficial, right? But what cybersecurity framework? 

Adaptable framework for healthcare

The HITRUST CSF was originally developed specifically for the healthcare industry, is based upon ISO 27001 and incorporates a number of recognized frameworks, including NIST CSF. Most organizations have multiple compliance requirements and must adjust security requirements based on their threat landscape and then manage risks accordingly.   Security requirements are always evolving and an adaptable framework is sorely needed to reduce the burden of CISOs and staff in continually updating their frameworks. As threats evolve, as regulations and frameworks change, so does the HITRUST CSF. 

HITRUST achieves the benefits listed above, but implementing a cybersecurity framework is a journey. Organizations need to achieve incremental wins and reduce risk….the HITRUST CSF allows for a stepping stone approach. 

 

New in the CSF v. 11 is control nesting in the three (3) different types of assessments. The assessment types are: 

HITRUST Essentials, 1-Year (e1) Readiness and Validated Assessment (40 basic controls)
HITRUST Implemented 1-Year (i1) Readiness and Validated Assessment (182 static controls based upon threat intelligence)
HITRUST Risk-based, 2-Year (r2) Readiness and Validated Assessment *based upon scoping factors)

This creates a progressive journey to implementing a cybersecurity framework while allowing success, adoption, and transparency. 

Involved with HITRUST since its inception and one of the original assessors, AT&T Cybersecurity can help you with your HITRUST journey.

Read More

USN-6456-1: Firefox vulnerabilities

Read Time:45 Second

Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2023-5722,
CVE-2023-5724, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730, CVE-2023-5731)

Kelsey Gilbert discovered that Firefox did not properly manage certain
browser prompts and dialogs due to an insufficient activation-delay. An
attacker could potentially exploit this issue to perform clickjacking.
(CVE-2023-5721)

Daniel Veditz discovered that Firefox did not properly validate a cookie
containing invalid characters. An attacker could potentially exploit this
issue to cause a denial of service. (CVE-2023-5723)

Shaheen Fazim discovered that Firefox did not properly validate the URLs
open by installed WebExtension. An attacker could potentially exploit this
issue to obtain sensitive information. (CVE-2023-5725)

Read More