At the Cost of Life: The Counterfeit Pharmaceuticals Industry

Out of all the fraudulent goods that circulate the world amongst their legitimate counterparts, the counterfeit pharmaceuticals market is one of the largest sectors. Counterfeit pharmaceuticals is a booming business, with multiple sources pointing between an estimated $200-$300 billion dollar revenue. Worse, the stakes behind counterfeiting pharmaceuticals are higher than fake handbags – people around the world depend on medication for their livelihood.

The World Health Organization has a broad definition of what constitutes a counterfeit drug – any drug that has been deliberately or fraudulently mislabeled with respect to identity or source. The term ‘counterfeit pharmaceuticals’ is an umbrella that encompasses everything from changing things like date of expiration on packaging to altering the raw materials to removing the active ingredients from the medication.

Counterfeit medications make up roughly 10% of pharmaceuticals on a global scale, but it’s important to note that this isn’t an even spread throughout each country in the world. Developing countries face fraudulent pharmaceuticals on a wider scale than you might find in first world countries that have more regulations.

But even in those areas there are plenty of opportunities for criminals to take advantage of the system. Counterfeit pharma is an attractive industry to criminals – especially those with organized crime connections – as it can generate enough revenue to rival trafficking things like heroin. This is because they can charge near market prices for big ticket medicines like cancer treatments and insulin, which makes it easier to mass produce knockoffs for a substantial profit.

All drugs must undergo clinical trials to test their efficiency, quality, and potential side effects before they can be marketed to the public. These measures function as a safety valve to protect consumers. However, these regulations are not observed by the manufacturers of counterfeit products. Instead, they use substandard products, leave out active ingredients, or otherwise tamper with the components. The end result can range from ineffective treatment to severe health problems or death.

The way pharmaceuticals move through the supply chain can leave them vulnerable. There’s typically three major phases of it – manufacturing, distributing, and retailers.

Usually the chemical compounds that compose the active ingredients of a drug are manufactured in places like China or India due to the relatively low cost of raw materials in those regions. Indeed, India itself is home to more than fifteen thousand illicit drug factories, which are estimated to supply approximately 75% of the world’s counterfeit drugs. Continuing the manufacturing process, those chemical compounds are made into their respective forms – whether that’s capsules, injections, creams, etc. – either in the country of origin or in USA/Europe.

The drugs are then shipped in large quantities to packing facilities, where they are prepared for the distribution phase. This part is particularly vulnerable, as this is an area where criminals can deposit convincing fakes to be combined with the legitimate drugs.   

That said, counterfeiting can occur outside the distribution chain as well because of internet and mail order markets, street vendors, etc. This is especially common in areas where medicine can be hard to acquire – counterfeit pharmaceuticals are a big problem in the developing world. Some pharmacists in these developing regions are compelled to buy from the cheapest – but not necessarily the safest – suppliers in order to compete with the street market.

Things such as lotions, creams, and oils are often counterfeited as they are relatively easy to make and then sold by illegitimate suppliers. Production of these goods is generally less regulated than pills or injections because knockoff ointments are most likely going to be less potentially damaging than their oral counterparts. That said, there were a significant portion of counterfeit injectables found amongst the legitimate pharmaceutical supply chain, which tend to cost more and can have deadly effects. Overall, though, anything that is profitable is at risk to be counterfeited – things that range from treatments for AIDS to Cancer to Diabetes to antibiotics and more. Theoretically, every patient is at risk – thus counterfeit pharmaceuticals are a problem that should concern everyone.

The human toll is enormous, as a study by the World Health Organization calculated that up to 72,000 deaths from childhood pneumonia could have been attributed to the use of antibiotics that had reduced activity, and that number climbs to 169,000 if the drugs had no active ingredients at all. These low quality drugs also add to the danger of antibiotic resistance, which threatens to undermine the power of these life-saving medicines in the future.

Three international security organizations including Interpol, the Institute of Security Studies, and the Global Initiative against Transnational Organized Crime have called for an overhaul of the regulatory, enforcement, and education systems for medical supply chains in Africa specifically. This is in order to reduce the spread of counterfeit pharmaceuticals across the continent. The three organizations commissioned a study called “The rise of counterfeit pharmaceuticals in Africa” under a bigger project funded by the European Union that is dedicated to Enhancing Africa’s Response to Transnational Organized Crime (ENACT). Findings from the study suggested that counterfeit pharmaceuticals accounted for nearly 30% of drugs on the market in Africa.

In order to address the proliferation of fraudulent pharmaceuticals, anti-counterfeiting measures have been rising up around the world. For example the U.S. Drug Supply Chain Security Act requires pharmaceutical companies to add serial numbers to all packages over the next few years, which should help in tracking the movement of the medications through the supply chain. Several non-profits have been founded to combat the issue as well.  Overall, however, finding a solution to this issue is going to be something that requires sustained commitment not only on a national level but on an international plane between health organizations, law enforcement, healthcare stakeholders, and the pharmaceutical industry as a whole.

This article was written by Kristina Weber of Centry Global. For more content like this, subscribe to our blog for bi-weekly articles related to the security industry and follow us on Twitter with our new handle @CentryGlobal!

The Future of AI, Security, & Privacy

Artificial Intelligence is a subject that is not just for researchers and engineers; it is something everyone should be concerned with.

Martin Ford, author of Architects of Intelligence, describes his findings on the future of AI in an interview with Forbes.

The main takeaway from Ford’s research, which included interviews with more than twenty experts in the field, is that everyone agrees that the future of AI is going to be disruptive. Not everyone agrees on whether this will be a positive or negative disruption, but the technology will have a massive impact on society nonetheless.

Most of the experts concluded that the most real and immediate threats are going to be to cyber security, privacy, political systems, and the possibility of weaponizing AI.

AI is a very useful tool for gathering information, owing to its speed, the scale of data it can process, and of course the automation. It’s the most efficient way to process a large volume of information in a short time frame as it can work faster than human analysts. That said, it can come with some detriments. We have started to see that its algorithms are not immune to gender and race bias in areas such as hiring and facial recognition software. Ford suggests that regulation is necessary for the immediate future, which will require continuing conversation concerning AI in the political sphere.  

AI-based consumer products are vulnerable to data exploitation, and the risk of that has only risen as we have become more dependant on digital technology in our day to day lives. AI can be used to identity and monitor user habits across multiple devices, even if your personal data is anonymized when it becomes part of a larger data set. Anonymized data can be sold to anyone for any purpose. The idea is that since the data has been scrubbed, it cannot be used to identify individuals and is therefore safe to use for analysis or sale.

However, between open source information and increasingly powerful computing, it is now possible to re-identify anonymized data. The reality is that you don’t need that much information about a person to be able to identify them. For example, much of the population of the United States can be identified by the combination of their date of birth, gender, and zip code alone.

With consent-based regulations such as GDPR concerning the right to digital privacy, it is clear that people want to know how their information is used, why, and how it can affect their lives. Furthermore, that they want control over how their information is used.

This article was written by Kristina Weber, Content Supervisor of Centry Ltd. For more content like this, be sure to subscribe to our blog, which updates every other Friday with articles related to the security industry!

Security Predictions for 2019

The predictions for 2018 that we shared last year seemed to land on the points of data protection and cyber security, while it strayed from others – most notably on the front of cryptocurrencies. BitCoin was a hot topic in 2017, surging to values that had people everywhere kicking themselves for not investing sooner. What unfolded after was an epidemic of articles predicting a global acceptance of cryptocurrencies. That balloon popped when the cryptocurrency market crashed in early 2018, and it seems that many have quietly reneged their cryptocurrency hype since.

Continuing the tradition, here are a few insights into the forecast for 2019:

Supply Chain Attacks. While these threats can occur in every sector of the economy as it pertains to supply chains, the industries that most commonly experience these attacks include pharmaceuticals, biotechnology, hospitality, entertainment, and media. Manufacturing operations are attractive targets to adversaries, due in part to having such a broad potential surface of attack. With increasing reliance on the supply chain, there is a wealth of information that could be obtained if organizations have not taken appropriate steps to secure themselves. For more information on cyber security in the supply chain, read our article here.

Further development of consumer privacy laws. Last year we saw the launch of the European Union’s GDPR, which marked the first big regulatory move toward protecting consumer information. Soon after, California passed a bill (Consumer Privacy Act of 2018) that seems to be the state’s version of GDPR – it is slated to go into effect at the end of 2019. A draft for a federal privacy bill for the United States may arrive early in 2019 after concerns over a number of privacy breaches.

Continuing adoption of artificial intelligence across wider society. From Alexa to politics, AI will continue to spread across industries and uses. Chinese companies have announced intentions to develop AI processing chips to avoid reliance on US-manufactured Intel and Nvidia. There is rising concern that AI technology could be increasingly used by authoritarian regimes for the purpose of restricting personal freedoms. As AI continues to spread its proverbial wings, we could see a move toward “transparent AI”, that is, an effort to gain consumer trust in the use of AI by being clear in how it uses human data and why. Of course there is always the worry that the rise of AI will create a jobless future for people, however Gartner suggests the opposite, that artificial intelligence will create more jobs than it will eliminate.

Big data breaches will push companies to tighten login security. We might see a concerted effort of the security industry to replace username/passwords altogether, pushing toward an alternative solution as an industry standard. Biometrics – for example facial recognition or fingerprint logins – are certainly on the rise.

Digital skimming will become more prevalent. The trick of card skimming has moved to the digital world, where attackers are going after websites that process payments. The growth of online shopping has made checkout pages attractive targets. British Airways and Ticketmaster were two high profile cases of this. The British Airways case was particularly alarming, as airlines in general have access to a wide breadth of information ranging from birthdates, passport details, payment information and more. Although the airline was able to confirm that no travel data was stolen in the attack, it nonetheless remains as a cautionary tale.

This article was written by Kristina Weber. For more content like this, be sure to subscribe to Centry Blog for bi-weekly articles related to the security industry. Follow us on Twitter @CentryLTD and @CentryCyber!

2018 Year in Review

As 2018 comes to a close, we reflect on those moments throughout the year that defined the times yet to come. For Centry, 2018 was a year that brought us great joys like the opening of our new branch in Mexico City and establishment of the ASIS Ukraine chapter, but also times of mourning after our colleague, Mr. Rachid Boukhari, passed away in June. Above all, it has been a journey, and one we are grateful to undertake for the mark we make on this world.

From our Centry family to yours, we wish our readers love and joy over the holidays, and a happy new year!

In keeping with the tradition of our year’s end articles on Centry Blog, we put together a list of some of our most-read stories from 2018 below.

January

Centry’s GDPR Guide

Our GDPR guide breaks down exactly what the EU’s General Data Protection Regulation was all about. This article was highlighted on TWiT live in an interview with our CTO Dave Ehman!

February

The Next Gold Rush: Renewable Energy

The Renewable Energy industry just might be the next gold rush for businesses and investors alike. This time, we aren’t hiking into the Klondike for gold; individuals and organizations alike are turning their eyes toward the broader world, looking out for opportunities to make good on this booming initiative.

March

Hidden Sanctions Risk: North Korean ties to Africa

The connection between Namibia and North Korea stands as but one example among many similar stories. It began in the 1960s, when several African countries started the struggle for independence from colonialism. During this vulnerable time period, North Korea invested time and money in these revolutions, where the political ties eventually grew into commercial relationships.

April

Human Trafficking in the European Union

Over the course of the past two decades, the European Union has been making an increased effort to understand and address the heinous crime of human trafficking. The most recent publication of statistics from Eurostat concerning registered victims and suspected traffickers revealed that a number of non-EU nationals are trafficked into member states, primarily from Nigeria.

This week’s article on Centry Blog examines just a facet of this deep and complex issue through analyzing Nigerian campus cults, the international response, and global business reponses.

May

Fake Social Media Profiles and What To Do If You Are Being Impersonated Online

False accounts are prevalent across social media, mainly used for phishing purposes. Whether it’s a bot or malicious actor threatening your account, we put together an instructional guide for those moments that you notice you have a seemingly second profile, not of your own making.

June

Supply Chain Security Introductory Guide

Having a secure logistics supply chain can save your company millions in terms of assets and reputation, and here at Centry, we have the know-how to help you. This article serves as an introductory guide to security in the supply chain.

July

Typosquatters

Sometimes fat-finger errors can lead to more than just an autocorrect goof. Some scammers have figured out how to lay traps surrounding these common mistakes.

August

Common Security Dos and Don’ts

Our article on Common Security Dos and Don’ts covers what you and your business can do to prevent costly breaches of data and trust.

September

Golden Visa for sale! Now on special offer for the 1%

In some countries, you can buy your way to citizenship. European passports and Schengen visas are the most desired traveling documents in the world. Not only do they grant the most traveling freedom, they give access to a safe and stable living environment, with free speech, in a market that can fulfill all your needs. Many EU countries have taken advantage of this by offering entry in exchange for investment. This kind of activity is commonly referred to as a Golden Visa Program.

October

5 Basic Digital Privacy Tips for the Average Person

Digital privacy is for everyone. But it’s also a massive topic that can be very easy to get lost in, especially if you’re new to to it. However, you don’t need to be a security expert nor do you need any particular reason to want to bolster your privacy on the internet.

November

What is Social Engineering?

Social engineering is a growing threat to individuals and businesses alike. In this article, we look into what social engineering is, the ways it can manifest, and what you can do to protect yourself.

December

Cyber Security in the Supply Chain

Your company might have a rigorous Cyber Security policy, and thorough training on all its personnel. But what happens when the security vulnerability comes from a trusted source in the Supply Chain?

Security professionals must now consider not only the possible vulnerabilities of their own network, but their supplier’s network, and their supplier’s supplier network, and so on.

We hope you have enjoyed Centry Blog this year. For more content like this, be sure to subscribe and follow us on Twitter @CentryLTD! We will see you in 2019!

Cyber Security in the Supply Chain

Cyber Security is generally accepted to encompass the protection of our interconnected information systems and assets including hardware, software, applications and data.  In that range of topics, one of the most important areas of concern for Cyber Security professionals is Vulnerability and Patch Management within the realm of Security Operations.

Vulnerability and Patch Management is the ongoing practice of ensuring that your systems and applications are kept up to date, scanned for known and unknown vulnerabilities.  The conventional wisdom is simple – when a software vendor provides security updates for critical application, these should be installed as soon as possible. Right?

Microsoft issues security patches for Windows and Office applications on the second Tuesday of each month. Apple issues security updates a handful of times per year.  Other vendors have similar programs.

When a vendor issues security updates, they usually disclose the particular security vulnerabilities that it was intended to fix.  So, as soon as a security update is released, the vulnerability becomes “public”. Now that the vulnerability is available (to bad actors) it is even more crucial that the fixes be applied in a timely manner.

All of this assumes that the vendor (the “Supplier” of this particular “Supply Chain”) has not already been compromised.  Imagine if a hacker could get in to the systems of our software supplier, make changes to released software that add malware.  Diligent users would unknowingly, and quite reliably continue to install updates, that now include malware.

If this sounds like a nightmare scenario, it is.  And it has already happened.

Examine the case of the Not Petya worm.  This started at a small company in Ukraine that supplies a piece of software called M.E.Doc.   You probably don’t use M.E.Doc. so you are not worried, right? M.E.Doc. is accounting software, used in Ukraine (think Quicken/TurboTax) and is required for filing national taxes.  So a large number of Ukraine based companies use it. In the spring of 2017, outside forces (likely Russian) hijacked the company’s update servers, injecting malware that included a small, but critical backdoor into the software.  As users updated their systems, they were infected with a backdoor, which laid latent for a month or two.

Then, the attack was launched.  The attack leveraged other vulnerabilities in Windows known as Eternal Blue and Mimikatz. These vulnerabilities rely on being “inside” the network of a company, behind the firewall, and once there, were able to spread globally encrypting data and asking for ransom.  Large multinational companies were affected, including banks, large shipping interests, manufacturing and more. If your company had an office in Ukraine, you may have been affected. If one of your suppliers, to whom you connect has offices in Ukraine, or is connected to someone who does, you might have been affected.

The upshot is this: Supply Chain security in Cyber Security is a now multi level concern.  Security professionals must now consider not only who might get in to their own network, but who might get in to their supplier’s network and who might get in to their suppliers’ supplier’s networks, and so on.

As is the case in other areas of Supply Chain security, we must concern ourselves with not only preventing bad things from happening, but assuming that they can, and trying to limit what can be done when bad things happen anyway.

And there is no simple answer.  Keep systems up to date to protect from know vulnerabilities.  But know that these updates can themselves introduce other vulnerabilities.

This article was written by Dave Ehman and edited by Kristina Weber. For more content like this, be sure to subscribe to Centry Blog for new articles every other week on topics relevant to the security industry. Follow us on Twitter @CentryCyber and @CentryLTD!

What is Social Engineering?

One of the most common methods of fraud is social engineering. This refers to a calculated deception that targets people in order to obtain sensitive information relative to their business, identity, or finances.  

There are two main categories of social engineering: (a) Mass Fraud, which is mostly comprised of basic techniques meant to scam a high quantity of people; and (b) Targeted Fraud, which is a highly-specialized method of fraud that singles out a specific individual or company.

The majority of these schemes follow the same general path. It begins usually with gathering information on a topic or target. Once enough information about the target has been obtained, scammers can focus on developing a false sense of security and trust with their target. In cases of mass fraud, this could look like replicating the design of a Netflix customer service email, or in targeted fraud establishing enough of a friendly rapport with an individual over the phone that they feel comfortable providing more and more information. Once this has been established, scammers can exploit any of the identified vulnerabilities and ultimately execute the scam.

Social engineering works because it preys on our instinct to trust.

Let’s say you are at work and receive a call or email from a “colleague” asking for some sort of account number or other piece of information related to the business. If you haven’t had any training on your company’s confidentiality policy, you might not think twice about providing this person the information they ask for. After all, they might seem trustworthy, or talk about things in a way that would give you no reason to suspect they aren’t a fellow coworker. That’s because they have meticulously studied how to prop up the illusion.

These types of attacks are common; all you need to do is look at the news to find examples. Just recently it was found that hackers connected to the Russian government were impersonating US State Department employees and sending emails with downloadable attachments. These attachments would then install software that could provide the hackers access to internal systems.

These fraud attempts aren’t just work-related. They can target you at home, too.

The Internal Revenue Service (IRS) of the United States just issued a warning about a new tax related scam. A surge of emails recently have been impersonating the IRS and using “tax transcripts” as bait to trick users into opening documents that contain malware. The malware behind this scam, Emotet, has been historically associated with posing as financial institutions in order to encourage people to download the malicious attachments. The IRS has recommended that if you have received one of these emails to delete it or forward it to phishing@irs.gov.

So how can you protect yourself?

Individuals can take the time to be vigilant of unfamiliar calls and emails. Sometimes social engineering won’t be a singular attempt. It could be repeated calls over years that slowly harvest the information needed to execute a scam. When in doubt, you can double check with the source, and avoid providing personal information. Meanwhile, companies can develop a guide for handling sensitive information to avoid blunders with fake employees. With sufficient training, employees can be taught to recognize different types of fraud and have an established plan for handling it should they come across it.

This article was written by Kristina Weber of Centry Global. For more content like this, subscribe to our blog and follow us on Twitter @CentryLTD!

Finnish Security Awards 2018

We are honored to have been part of the Finnish Security Awards (FSA), which took place last month in October 2018. This is the fourth time that this event has been organized, thanks to Turvallisuus & Riskienhallinta, a Finnish security and risk management magazine.

This year the awards were held at the Old Student House in Helsinki. The opening ceremony featured a presentation about the future of security and safety by Professor Esko Valtaoja. There are eleven award categories at FSA, and each one had its own jury that was comprised of respected professionals in the industry.

A number of us at Centry attended the awards ceremony, and Mr. Risto Haataja of Centry was a member of the jury that selected Security Company of the Year!

This slideshow requires JavaScript.