Over the past year, news outlets have been buzzing about Facebook, now called “Meta”, collecting vast amounts of data from healthcare organizations and tax return companies. Some of these companies are announcing breaches as a result of this data collection.
Why are Companies Sending Sensitive Data to Facebook?
Let’s be clear – Companies are not trying to send their sensitive information to Facebook. Companies are NOT going to Facebook.com and uploading their customer information. Instead, Facebook is collecting this information via web tracker software that they offer to companies for free to monitor website visitor behavior. Companies invest a lot of resources in their websites to ensure their customers get the best value and can easily navigate their offerings. In order to see how customers interact with their websites, companies install web trackers to monitor button clicks, visitor statistics, navigation errors, and more. Most websites have a method of logging user behavior using trackers that are generally hidden from the website visitor. A couple of the many website trackers include Facebook’s Meta Pixel and Google Analytics. Companies are using it to track basic website visitor information and often times they do not realize that Facebook may be collecting sensitive information.
What is Meta Pixel?
Meta Pixel is Facebook’s web tracker software. Facebook’s Meta Pixel is popular, easy to use, and it’s free. Any company can download the code, install it on their website, and instantly see information about website visitors. Companies can log into a dashboard showing daily website visitor statistics.
Is a Vulnerability in the Meta Pixel Software Causing the “Breach”?
There is no known vulnerability in the Meta Pixel software that is causing the breaches. Instead, companies are announcing breaches because Facebook is not supposed to receive sensitive information. Since Meta Pixel is collecting more information than intended, and Facebook was not authorized to have access to this information, companies are listed it as a breach or a privacy violation.
What Companies are Affected?
The Markup news outlet wrote an investigative report about a number of hospitals that had the Meta Pixel code on their website and their patient protected portals (Feathers, Fondrie-Teitler, Waller, & Mattu, 2022). Some of the affected hospitals immediately removed the Meta pixel software when they realized that it could collect more information than intended. The Markup released another report showing how tax filing websites were sending sensitive tax payer information to Facebook by the same Meta Pixel software (Fondrie-Teitler, Waller, & Lecher, 2022). While the healthcare and financial industries are in the news for these issues, the website tracker breaches surely affect many industries as the Facebook Meta Pixel code is installed on millions of websites.
How is Meta using the Data?
It is unclear how Meta is using the collected data. Facebook itself may not know what it does with this data according to a Vice report based on a leaked internal Facebook memo (Franceschi-Bicchierai, 2022). In the leaked memo, a Facebook engineer stated “We do not have an adequate level of control and explainability [sic] over how our systems use data”.
Number of Individuals Affected
According to the 2023 Velocity Healthcare Breach Report, in the healthcare industry alone, over 6,000,000 medical records were affected in 2022. The affected tax filing companies have millions of customers. The number of affected individuals is most likely much higher and continues to grow as more companies announce that they had the Meta Pixel software on their websites.
What Can Companies do to Prevent this in the Future?
Companies should thoroughly investigate all web trackers to determine how data is utilized before placing the code in production environments. Many companies have methods to perform security evaluations on new third-parties as they go through the procurements system, but this scrutiny is not usually applied to free software such as Meta Pixel or Google Analytics. Companies should ensure that any code changes go through a Software Development Lifecycle (SDLC) that includes a security analysis.
How can Stern Security Help?
Our cybersecurity services team has extensive experience analyzing web trackers and the data that they send outside a customer environment. Additionally, Stern Security’s Velocity application can be used to get your third-party risk management program in order and evaluate vendor solutions for cybersecurity and privacy problems.
Works Cited
Feathers, T., Fondrie-Teitler, S., Waller, A., & Mattu, S. (2022, July 19). Facebook Is Receiving Sensitive Medical Information from Hospital Websites. Retrieved from The Markup: https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites
Fondrie-Teitler, S., Waller, A., & Lecher, C. (2022, November 28). The Markup. Retrieved from Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook: https://themarkup.org/pixel-hunt/2022/11/22/tax-filing-websites-have-been-sending-users-financial-information-to-facebook
Franceschi-Bicchierai, L. (2022, April 26). Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document. Retrieved from Vice: https://www.vice.com/en/article/akvmke/facebook-doesnt-know-what-it-does-with-your-data-or-where-it-goes
In its second annual Velocity healthcare data breach report, Stern Security has critically analyzed over 5,000 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive study. Stern Security augmented the HHS data by investigating each breach in 2022 to fully understand the cause of the incident.
This report shows critical insights into healthcare breach trends over the past 13 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to analytics software including Meta (Facebook) Pixel. Once again, a new breach record was established with more healthcare breaches occurring in 2022 than any previous year. This report puts forth a detailed analysis.
There are hundreds of cybersecurity products on the market and it can be difficult to select one between the noise. Do you select a cybersecurity product based on an alert you see on the news? Choose based on an advertisement or magazine article? Do you simply select one because it appears on a “magic quadrant”? Here are the top 5 tips for choosing a cybersecurity product.
Tip #1: Fits a Gap
The top tip for choosing a cybersecurity product is to look for one that fits a gap or need within your environment. The most straightforward way to do this is to align your organization with a cybersecurity framework or maturity model.
For example, if you choose the CISA Zero Trust 2.0 Maturity Model, the “Authentication” function within the “Identity” pillar requires “phishing-resistant MFA (multi-factor authentication)” once you reach the advanced maturity level. To accomplish this maturity level and fill the gap within your posture, you may purchase hardware WebAuthn/FIDO2 keys such as Yubikey or Feitian. This purchase fits a direct need and helps your organization achieve a higher cybersecurity maturity level for your chosen framework.
Tip #2: It Works
After you determine that a product fits a gap, it has to work in your environment. See if you can do a free trial before you buy. The product may also have a freemium model so you can use the free version and upgrade to the paid version when you determine that the product works and fulfills a need. Even security hardware companies will usually let an organization test a product before purchasing.
Tip #3: Secure
This should go without saying, but a cybersecurity product should be secure. It’s always a good idea to do your due diligence on a product and company before utilizing it. The product should increase security posture, not the opposite. You can request security audit or perform your own. Research should also be performed on the company and product.
Tip #4: Pricing
The cybersecurity product should fit your budget. If you need the product and you don’t have the budget…then you may need a larger budget. Alternatively, you can look for less expensive or open-source options to fulfill your needs.
Tip #5: Recommendation
Lastly, you can choose a cybersecurity product based on a recommendation from a colleague. The benefit with utilizing a recommendation is that you have a solid review from a trusted source. On the downside, your colleague’s environment and use cases may be different than yours so the product may not work the same in your environment. Additionally, it may be more difficult to find the most innovative product if you’re only choosing products based on older recommendations. The most innovative product may be a new offering from a known vendor or new startup.
Velocity Can Help
Stern Security’s Velocity product helps organizations find the best cybersecurity products for their needs by aligning a company’s security posture to a security framework or maturity model (Tip #1), and then showing the solutions that are needed to fill the gaps.
Conclusion
While there are many choices on the market, these are the top 5 tips for choosing cybersecurity products. Use these tips to sift through the noise and choose the best products for your organization.
The Cybersecurity & Infrastructure Security Agency (CISA) is a U.S. federal agency that is responsible for strengthening cybersecurity across the government. The agency also provides resources for helping U.S. companies reducing cyber risk.
What is Zero Trust?
At a high level, Zero Trust is a cybersecurity methodology that assumes a breach can occur at any time. As such, each resource should have the least amount of privileges needed to perform their job and should be continuously authenticated to confirm authorization. The National Security Telecommunications Advisory Committee (NSTAC) describes Zero Trust as a cybersecurity strategy that treats every resource as untrusted. While most other security models use the location of an individual or device as a means to provide access, Zero Trust focuses on the data that is being accessed.
CISA Zero Trust Overview
CISA states that their maturity model is not the only way to accomplish Zero Trust. However, CISA’s model is clear, concise, possibly the easiest model to understand, and CISA has a strong reputation for solid recommendations. In CISA’s Zero Trust Maturity Model, there are five pillars, or categories, that contain controls for moving towards a Zero Trust Architecture. The five pillars are Identity, Devices, Networks, Applications & Workloads, and Data as shown in the image below.
Five pillars of CISA’s Zero Trust Maturity Model (Cybersecurity and Infrastructure Security Agency Cybersecurity Division, 2023)
There are a total of 36 security controls, or “functions” as CISA calls it, across all of the pillars. While there are unique security controls for each pillar, there are three control types that are within each pillar. These three control types that are cross-cutting through each pillar are Visibility and Analytics, Automation and Orchestration, and Governance. The cross-cutting controls can be used to coordinate implementation and interoperability of functions across the pillars.
The CISA Zero Trust model contains four maturity stages for each of the 36 security controls. Organizations start with the Traditional stage and move to Initial, Advanced, and finally Optimal. Each maturity stage provides an increasing level of protection and adoption complexity.
CISA Zero Trust 2.0 Maturity Stages
Implementation Challenges
Implementing Zero Trust is not a trivial task. There are 36 major functions that need to be optimized before achieving the highest maturity level. This is a process that will most likely take years for an organization to complete. Some of the challenges with implementing Zero Trust are:
Cost – An organization will probably need to purchase new security tools and hire additional staff to reach the higher levels of maturity. For example, an organization may have multi-factor authentication (MFA) with SMS (text message), but the more mature levels require “phishing-resistant MFA” such as Yubikeys or Feitian USB security keys. Purchasing the security keys and educating staff can be costly.
Time – It takes time to implement each of these security measures. This includes both implementation time and employee education time.
Process Change – There are numerous challenges to implementing new processes. Taking our MFA implementation example, an organization will need to change how they perform multi-factor authentication across the organization.
Legacy Systems – Many legacy systems were not designed with security in mind. These legacy systems may implicitly trust everyone, or have a single shared account.
CISA describes the Zero Trust implementation as a journey. Each stage of this journey requires more levels of effort while achieving greater protection.
CISA Zero Trust Maturity Model 2.0 Journey (Cybersecurity and Infrastructure Security Agency Cybersecurity Division, 2023)
Benefits of Zero Trust
Moving towards higher levels of maturity within Zero Trust have enormous security benefits which is why organizations strive to achieve this goal. At the Optimal maturity level, the risk of a security breach is minimized. Zero Trust can also help companies achieve compliance goals by moving well beyond the initial compliance requirements. There are also customer and business benefits as an organization with a higher level of security earns more trust from its customer base.
Changes from CISA Zero Trust v1.0 to v2.0
CISA has made a number changes from their Zero Trust maturity model 1.0 released in 2021 to version 2.0 that was released in April of 2023.
Color code chart for changes
Moving from Three to Four Maturity Stages
The largest change is moving from three to four maturity stages. As CISA states, the Zero Trust Maturity Model is a journey which will most likely take time to implement. Having more stages provides greater insight into an organization’s progress.
Changes to the Zero Trust Maturity Stages
Pillar Changes
There are still five pillars within the CISA Zero Trust Maturity Model 2.0, however the naming has changed slightly.
Changes to the Zero Trust Pillars
Security Functions within Pillars
The CISA Zero Trust Maturity Model has moved from 31 security controls (called “Functions” within the model) to 36 controls. The changes are listed below and grouped by each of the five pillars.
Velocity Can Help with the CISA Zero Trust Maturity Model Journey
At Stern Security, we have added the CISA Zero Trust Maturity Model into our Velocity platform. Any organization can easily map their Zero Trust journey within Velocity. Try Velocity for free today.
Velocity contains CISA’s Zero Trust Maturity Model
Conclusion
The 2.0 version of CISA’s Zero Trust Maturity Model is a well-organized and highly regarded framework to follow in order to achieve Zero Trust goals. Increasing an organization’s Zero Trust maturity is a journey that will take time and resources, but will greatly reduce cybersecurity risk. CISA’s model is a recommended approach for completing an organization’s Zero Trust goals.
Works Cited
Cybersecurity and Infrastructure Security Agency Cybersecurity Division. (2021, June). Zero Trust Maturity Model: Pre-decisional Draft Version 1.0. CISA.gov.
Cybersecurity and Infrastructure Security Agency Cybersecurity Division. (2023, April). Zero Trust Maturity Model: Version 2.0. CISA.gov.
Keeping up with Two-Factor Authentication Day (2/2/23), we decided to showcase some cybersecurity and compliance frameworks that recommend 2-factor authentication controls. The frameworks we reviewed include:
FFIEC CAT (The Federal Financial Institutions Examination Council Cybersecurity Assessment Tool)
PCI DSS (Payment Card Industry Data Security Standard) v3.2.1
PCI DSS (Payment Card Industry Data Security Standard) v4.0
CIS v8 (Center for Internet Security), NYDFS (New York State Department of Financial Services)
CISA (Cybersecurity & Infrastructure Security Agency) Shields Up 2022
ACET (Automated Cybersecurity Examination Tool) from the NCUA (National Credit Union Association)
NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) 1.1
405(d) HICP (Health Industry Cybersecurity Practices).
Cybersecurity Framework References
The multi-factor authentication controls within these frameworks are listed in the chart below.
Framework
Reference
Control
FFIEC CAT
D3.PC.Am.B.9
Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk.
FFIEC CAT
D3.PC.Am.B.15
Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication.
FFIEC CAT
D3.PC.Am.Int.5
Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution’s network and/or systems and applications.
FFIEC CAT
D3.PC.Am.Int.6
Multifactor authentication (e.g., tokens, digital certificates) techniques are used for employee access to high-risk systems as identified in the risk assessment(s). (*N/A if no high risk systems.)
CMMC
IA.L2-3.5.3
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
CMMC
MA.L2-3.7.5
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
PCI DSS v3.2.1
8.3
Secure all individual non-console administrative access and all remote access to the CDE (Card Data Environment) using multi-factor authentication. Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
PCI DSS v3.2.1
8.3.1
Incorporate multi-factor authentication for all non-console access into the CDE (Card Data Environment) for personnel with administrative access.
PCI DSS v3.2.1
8.3.2
Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.
PCI DSS v4.0
8.4
Multi-factor authentication (MFA) is implemented to secure access into the CDE (Card Data Environment)
PCI DSS v4.0
8.4.1
MFA is implemented for all non-console access into the CDE for personnel with administrative access.
PCI DSS v4.0
8.4.2
MFA is implemented for all access into the CDE.
PCI DSS v4.0
8.4.3
MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE
PCI DSS v4.0
8.5
Multi-factor authentication (MFA) systems are configured to prevent misuse.
PCI DSS v4.0
8.5.1
MFA systems are implemented as follows: • The MFA system is not susceptible to replay attacks. • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. • At least two different types of authentication factors are used. • Success of all authentication factors is required before access is granted.
PCI DSS v4.0
8.6
Use of application and system accounts and associated authentication factors is strictly managed.
CIS v8
6.3
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
CIS v8
6.4
Require MFA for Remote Network Access
CIS v8
6.5
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
NYDFS
12a
Multi-factor authentication. Based on its risk assessment, each covered entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to nonpublic information or information systems.
NYDFS
12b
Multi-factor authentication shall be utilized for any individual accessing the covered entity’s internal networks from an external network, unless the covered entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.
CISA Shields Up 2022
1.1
Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
ACET
232
Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication.
ACET
245
Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution’s network and/or systems and applications.
ACET
246
Multifactor authentication (e.g., tokens, digital certificates) techniques are used for employee access to high-risk systems as identified in the risk assessment(s).
NIST CSF 1.1
PR.AC-7
Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
405(d) HICP
2.S.A.6
For devices that are accessed off site, leverage technologies that use multi-factor authentication before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails.
405(d) HICP
3.M.D.1
Virtual Private Networks (VPNs) should be configured to limit user access based on role-based access control (RBAC) or ABAC rules and to enable MFA.
405(d) HICP
3.M.D.2
These [Virtual Desktop Environments] are environments where virtual terminal sessions can be exposed to remote access, allowing your employees to work remotely. Although highly useful for workforce flexibility, virtual desktop environments systems can be compromised easily if they lack MFA.
405(d) HICP
9.M.C.3
If remote access is required to manage medical devices, MFA capabilities should be deployed, with HDO acceptance of the system access mode to be used. Depending on the deployment scenario, the device manufacturer may be required to support remote access capabilities. Otherwise, such capabilities should be deployed on a separate component of your existing MFA system to limit exposure if the MFA system is compromised.
If you want to learn more about 2-factor authentication, please check out our article at Stern Security. To ensure that you’re adhering to all of your cybersecurity controls including 2-factor authentication, use Velocity. You can measure your baseline security for free with Velocity today. Secure the Planet!
