At Stern Security, we have declared February 2nd as Two-Factor Authentication Day! The date is 2/2 so naturally it’s the best day for this holiday. This is a day to spread awareness about 2-factor authentication which is one of the most important ways to protect your online accounts at home and at work. Using a password alone is not enough – you need two-factor authentication.
Forms of Two-Factor Authentication
Have you ever logged into a banking site on your computer by typing in your username and password and the site sends a text/SMS message to your phone to confirm your identity? That is two-factor authentication! It is using two different forms of authentication to confirm your identity.
There are three forms or “factors” of authentication:
Something you know: Password, Passphrase, PIN, Secret Questions, etc…
Something you have: Badge, Hard Token (ex. Yubikey), Phone, etc…
Something you are: A physical trait such as a fingerprint, retinal scan, FaceID, etc…
Two-factor authentication uses two different factors to authenticate an individual. In our banking example, using the password was the first factor (something you KNOW), and the second factor was the text message to the phone (something you HAVE). This is much more secure than just the password alone because that can be stolen or guessed.
Are there other names for Two-Factor Authentication?
Two-Factor Authentication goes by many names and abbreviations. Some of the other names include: Multi-Factor Authentication (MFA), 2-Factor Authentication (2FA), and Two-Step Verification. Yes, there are some slight differences between Two-Step Verification and Two-Factor Authentication, but we’ll cover that in a separate article.
Why Do We Need Two-Factor Authentication?
A password alone will not protect your account. Your password could be guessed or intercepted. Additionally, companies get hacked frequently and some of your passwords are probably publicly available. Sites like Have I Been Pwned track compromised accounts in over 600 sites and allow you to look up if your account was in one of those known breaches. If a site is hacked, it may not matter if your password was strong if the site was not storing the password properly. However, many people do not choose passwords wisely and tend to pick passwords that are easy to remember like Password123!, P@ssw0rd, or Winter2022. In our penetration testing engagements, we often get into accounts because of these weak passwords. If you are only relying on a password to protect your account, you are putting your account at great risk.
What is NOT Two-Factor Authentication?
Sites that ask for a password and follow up with secret questions (ex. What is your dog’s name) are not using 2-factor authentication. Both password and secret questions are “Something you Know” so this is using one factor twice.
Where Should I Enable Two-Factor Authentication?
You should enable two-factor authentication on any account that supports it. This includes email (ex. Gmail, Outlook, Yahoo, Apple), social media accounts (ex. Twitter, LinkedIn, Facebook, Instagram), password managers (ex. 1Password, LastPass), gaming sites (ex. Epic, Blizzard) and banking sites. Most modern applications should support some form of two-factor authentication. To get an idea of many sites that support two-factor authentication, please look at the 2FA Directory.
Conclusion
Today, 2/2 is 2-factor authentication day so please ensure that you have 2-factor authentication enabled on all of your online accounts! Spread the word to your family, friends, and co-workers. As always, if you want to ensure your organization has all of the necessary security controls in place, including 2-factor authentication, you can use our Velocity application today. Happy 2FA Day!
405(d) Health Industry Cybersecurity Practices (HICP) is a healthcare cybersecurity framework created out of a congressional mandate from the Cybersecurity Act of 2015. Section 405(d) of this mandate has a goal to strengthen the cybersecurity posture of healthcare and public health sector. A collective called the 405(d) Task Force was formed from both public and private sectors. This task force contains members of the U.S. Health and Human Services, over 200 healthcare and cybersecurity experts, and the Health Sector Coordinating Council. Their deliverable was the 405(d) Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. This framework contains 326 cybersecurity controls for organizations within the healthcare industry.
What is a Cybersecurity Framework?
A Cybersecurity framework is a collection of controls that companies can put in place to reduce the risk of a cyber-attack. An example control could be “Enable Multi-Factor Authentication (MFA) for all Remote Access”.
What Size Organizations Use 405(d) HICP?
Any size organization can use the 405(d) HICP guidance. The framework is divided into three sections: Small Organizations, Medium Organizations, and Large Organizations. The framework recommends that healthcare organizations follow the controls specific to their size. One may ask how the size of an organization is determined. The framework contains a chart for organizations to use to determine their size. This chart is shown below.
Organization sizing guide (Department of Health and Human Services)
Is 405(d) HICP Only for Healthcare?
Most of the controls within 405(d) HICP can be used by organizations in any industry. However, there is one section of the framework, Section 9, which contains 25 controls for Medical Devices. This section simply would not apply to non-Healthcare industries.
How Can I Follow the 405(d) Guidance?
The 405(d) HICP Framework can be found as a detailed PDF or a basic spreadsheet on the Health and Human Services website: https://405d.hhs.gov/protect/hicp. Unfortunately, working through the PDF or spreadsheet is not ideal because it takes considerable manual effort to create graphs to show progress and program maturity. Thankfully, Stern Security has built the 405(d) framework into Velocity. Within Velocity, the 405(d) framework is easy to use, has a clean interface, contains graphs that depicts an organizations maturity, and has reports for download. Additionally, the controls for small organizations are completely FREE. Any organization can quickly sign up for a free Velocity account and start using the 405(d) HICP framework today.
Works Cited
Department of Health and Human Services. (n.d.). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. Retrieved from HHS 405(d) Aligning Health Care Industry Security Approaches: https://405d.hhs.gov/Documents/HICP-Main-508.pdf
The 2022 Triangle InfoSeCon event hosted by Raleigh’s ISSA was on September 9th, 2022. To a full crowd, Stern Security‘s Founder & CEO, Jon Sternstein, gave a presentation titled: “Break Down Silos & Secure the Planet”.
The presentation abstract was the following:
People tend to cluster in their own silos and tribes in both society and within companies. We have seen the dangers of lack of communication between individuals with different viewpoints play out between nations, states, politics, and more. This siloed mindset also occurs within companies and industries and can lead to massive cybersecurity issues.
This presentation will discuss the importance of breaking down silos. Technical stories will be shared of large security vulnerabilities that we have discovered that would have been prevented if the company’s employees and contractors did not operate in silos. We’ll also discuss some hacks to break out of your own silos, hack impostor syndrome, infiltrate executive ranks, and secure the planet.
Jon Sternstein’s presentation was an important lesson on working together to secure companies and to have a stronger society. Secure the Planet!
In its first annual healthcare data breach report, Stern Security has critically analyzed over 4,000 data breaches since the Department of Health and Human Services began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from Health and Human Services to create this comprehensive report.
This report shows thought-provoking insights into healthcare breach trends over the past 12 years. It covers everything from the number of breaches attributed to ransomware to third-party (business associate) breaches. More healthcare breaches occurred in 2021 than any other year and this report illustrates the detailed analysis.
Healthcare breaches have recently reached a grim milestone. As of June 10th, 2022, the number of Protected Health Information (PHI) records breached has reached 341,995,928. To put in prospective, this number surpasses the United States population which is at 332,759,097 (United States Census Bureau, 2022).
As the graphs show on HealthcareBreaches.com, this startling loss of data is almost entirely due to hacking.
It must be noted that these numbers only include reported healthcare breaches containing 500 or more PHI records. Healthcare breaches under 500 records are not listed publicly. To view additional trends, please visit our healthcare executive data breach dashboard at https://www.healthcarebreaches.com/ and utilize the control panel on the left side to fine-tune your area of interest.
Works Cited
United States Census Bureau. (2022, June 10). U.S. and World Population Clock. Retrieved from United States Census Bureau: https://www.census.gov/popclock/
