Isn’t it always the little things that make a big difference? That’s true not only in life, but also when it comes to protecting your data and network from attacks. And, it is often the small things that when overlooked can become a big problem. So, today we are talking about some of the things that you need to be looking for and that can make a big difference in your privacy and security programs.
In this episode:
Little Things Matter – Ep 295
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Aug 17-19, 2021
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[04:08] Report violations, yes. Frame someone for HIPAA violations and you go to prison. Prison Time for Scheme to Frame Nurse for HIPAA ViolationsIn October 2019, Jeffrey Parker of Rincon, GA contacted a local news station claiming to be a whistleblower alleging a nurse had violated HIPAA privacy laws by emailing graphic images to him and others. The news station contacted the law enforcement and a case was opened. Turns out the investigation found that the nurse, who apparently was an ex-lover, did NOT send any images to anyone and that Jeffrey Parker made it all up. He went as far as to create several fake emails to make it look like these images were sent to several people.
The US Department of Justice charged Jeff with one count of making false statements and faced a maximum sentence of 5 years in prison and a $250,000 fine. He decided to plead guilty, so the Department of Justice sentenced him to 6 months in prison and fined him $1,200.
Little Things Matter
Browser Extensions as Botnet Back Doors
[12:03] Recently there have been reports of how browser extensions have been found to be botnet back doors. KrebsOnSecurity published an article, Is Your Browser Extension a Botnet Backdoor? that explains the threat.We’ve talked before about the danger of allowing staff to download and install software on their PCs. But do you monitor whether folks are loading browser extensions? The article states that 53.21% of all Chrome extensions have not been updated in the past two years. And, in the past 30 days, only 5.21% of extensions have been updated.
So, browser extensions are tiny little programs you can run inside a browser (like Google Chrome, Microsoft Edge, Brave, Firefox, etc). Think of them as skills that you can add to a browser or little pieces of software that allow you to do some cool stuff in your browser. They have become so popular that the criminals are now trying to find ways to use them to attack us.
[23:32] Browser extensions are little programs… little things… they matter because they can cause very big problems. They are different from traditional programs where the user can be prompted to enter an administrative password in order to install a program. Extensions don’t go through that process because the browser is controlling everything to do with it. So it’s actually an activity running within the software. Think of it as I’m going to turn on new settings and I’m going to do all this without installing software on the computer. You’re installing software inside the browser. These extensions can be opening a backdoor into your network. So, it’s very important to understand how this works and determine what safeguards IT can put in place.You should have policies and procedures that address whether staff can load and use whatever browsers and browser extensions that they want. Determine if IT can monitor these things and make some rules to include in your security policies and procedures.
QuickBooks Data Files Theft Attacks
[31:29] Many organizations use Quickbooks as their accounts payable software and even their payroll platform. But believe it or not, maybe organizations don’t think to include Quickbooks in their list of critical business applications. Often they don’t know IF their Quickbooks files are being backed up or who should be responsible for doing it or even including it in their disaster recovery plans. It might seem like a little thing, but it quickly becomes a big thing when something goes wrong and you can’t access the date or pay staff.New research has uncovered a significant increase in QuickBooks file data theft using social engineering tricks, like spear phishing, to deliver malware and exploit the accounting software.
Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks – The Hacker News
“When a user has access to the Quickbooks database, a piece of malware or weaponized PowerShell is capable of reading the user’s file from the file server regardless of whether they are an administrator or not,” the researchers said.
“Furthermore, the attack surface increases exponentially in the event QuickBooks file permissions are set to the “Everyone” group, as an attacker can target any individual in the company, as opposed to a specific person with the right privileges.”
“That’s not all. Besides selling the stolen data on the dark web, the researchers say they found instances where the operators behind the attacks resorted to bait-and-switch tactics to lure customers into making fraudulent bank transfers by posing as suppliers or partners.”
Check the permissions on your data files. Make sure you are securing the files, not just installing the software and making sure it works properly. Get IT involved and don’t assume you can handle it yourself.
Bottom line: It’s not the time to make any assumptions and let little things go. You should have either professional IT or an IT staff, depending on size organization. You should involve IT in conversations fairly regularly. Don’t assume that all of the little things are being handled by IT. Have the conversation and understand exactly what they are monitoring and protecting.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
