Four sustainable approaches to becoming resilient to cyber attacks
Ransomware malfeasance has been growing over the past 10 years, impacting individuals, small businesses, municipalities, police departments, law firms, doctors’ offices and now hospital systems. The intent is to extract financial gain and the victims generally are embarrassed or frustrated into paying the ransom to get back to normalcy. Unfortunately, payment of the ransom emboldens the perpetrators of this crime.
What’s disturbing about the attacks at Hollywood Presbyterian Medical Center and MedStar Health earlier this year is the possible implications and consequences for the community or patients of other health organizations watching these stories unfold and prompting nagging questions. Have patient records been compromised to fuel future identity theft scams? Is there a possibility of recurrence now that the criminals know they will get paid by the entity? Or is the loss of use of the hospital’s EHR system a contributing factor to poor patient care or a worse fate such as loss of life?
Many healthcare organizations endeavor to maintain HIPAA security and privacy compliance. Compliance in these areas does not equal effective security or comprehensive information security risk management. Best practices frameworks and standards such as the NIST Cyber Security Framework, PCI Data Security Standards, or ISO 27001:2 Enterprise Security Management Standards are great guides for what to address but offer little or no guidance on how to address it specifically in your environment. Furthermore, healthcare organizations have the different environments and different resources at their disposal.
The devil is in the details. The wherewithal of larger institutions affords more dollars to attract and retain IT and information security talent is generally greater than for small institutions. The same is true for use of managed services, updated information security technologies, or advanced incident response capabilities. So are small institutions at a disadvantage? Not necessarily. Healthcare organizations of all sizes would be well-served to take four steps that are less technology-heavy and provide sustainable approaches to be resilient to threat actors.
Annual independent assessment is a critical governance tool to provide a comprehensive evaluation of implemented security policies, procedures, controls and staff in relation to best practices and industry standards. One of the critical components of this effort is to scan the network for potential vulnerabilities that can result in a large exposure.
It’s a good practice to separate IT governance from IT management. This is particularly important if your institution relies on external managed service providers to manage and maintain your network and systems. The IT governance function should work with the independent assessor to validate the root-cause issues that contribute to data security risk and understand viable, pragmatic alternatives to mitigate the risk.
Nonetheless, it is imperative for healthcare organizations to baseline and understand:
- Assets on your network
- wWireless access points
- Identity and access management
- Open/allowed ports
- Network security monitoring capabilities
- Network traffic activity due to the use of BYOD devices and interactions with business associates network traffic, some of which may appear to originate from the top phishing countries where you do not expect to have activity.
Furthermore, the IT governance function should require the independent assessor to evaluate structure of their networks to determine if they are sufficiently segmented to isolate damage to their operations, particularly electronic health record systems.
Vulnerability Scanning and Purple Teaming
Preventive and detective security controls are the keys to minimize the impact of ransomware and other types of hacker attacks in the enterprise. Hackers do their homework. Their reconnaissance efforts begin with an understanding of the vulnerabilities in the target environment (think your network). Threat actors use many of the same tools IT security departments would use to scan your environment for the latest vulnerabilities to ascertain exploit impacts. Same tools, but different approaches. IT security departments may not scan with regular frequency which allows for unpatched systems to mount to the never-ending workload of IT operations. Sophisticated hackers scan frequently specifically looking for easily exploitable vulnerabilities (weak passwords, default passwords, open ports, lack of encryption) to gain network access and pivot around in your network to find saleable data for the dark market like patient health records, user account credentials, or credit card numbers.
Vulnerability scanning services are relatively inexpensive. When vulnerability assessment results are interpreted appropriately by the service provider, the report can become a prioritized roadmap to efficiently address critical risks. It can also be a barometer for adherence to assessing adherence to vendor service level agreements of managed services providers. For instance, many vulnerabilities are fixed by regularly applying the patches provided by the software and hardware vendors for the operating systems, applications, and devices in the environment. When old vulnerabilities exist (older than a year) or persist after a subsequent vulnerability scan, it may be because the managed services provider or IT department is under resourced, lacks capabilities, or is concerned with performance or availability issues of legacy systems. For this reason, lazy hackers don’t bother with doing the homework and have launched shotgun ransomware campaigns to harvest and extort easier targets.
IT security departments should have a rigorous and vigilant approach to know where a threat actor may ingress and egress the network and whether the security team has the capability to detect unauthorized activity if and when it occurs. Anti-malware products from the companies like TrendMicro, McAfee, and Kaspersky, and many others are one aspect of the defensive security controls but they must be current and insulated from unauthorized change. Some security professionals would quip that anti-virus programs are no longer relevant or effective in light of “next generation” firewalls that do deep packet inspection. I would submit for those healthcare organization with more humble resources, anti-virus is important arrow in the quiver in conjunction with good patch management.
A more thorough and expensive test of the environment which also demonstrates the importance of training and hardware control, is to undertake a ‘penetration test’ or red team exercise performed by a third party. This entails hiring, essentially, a professional to ‘hack’ into your environment from any number of ways that a real attacker might. Penetration testing has the benefits of testing your system security, identifying weaknesses in that security and identifying fixes where necessary. Additionally, the story of a penetration test is a highly effective tool in the training process.
Unfortunately, many of the penetration testing engagements become contrived and unrealistic, i.e. “don’t touch these systems during these hours.” Penetration testing and red teaming both focus solely on the offensive, or attacker perspective against an organization and most often do not consider any defensive capability. Consider that red is our attack side, or the adversaries, and blue is the defensive side. Unfortunately, having both teams working together during security testing typically does not occur. Having a red team test the network or application provides a great service to understanding the weaknesses, but this is not all that should be considered when trying to increase the security posture of the organization.
The concept of “Purple Teaming” is that the assessment is performed with both teams at the same time. The blue team is on the ready and looking for what the red team is doing. The red team informs the blue team of what they are doing and what they should be looking for and capture all activities so they can be replayed or repeated. The goal is for the blue team to get a better understanding of what attackers are doing and what that looks like on the network, and build better prevention, detection, and monitoring controls.
Done right, the blue team should come out with better policies, procedures, training, monitoring and response plans. Seeing the attacks come through will help tune the policies, procedure and systems to ensure that critical events are properly alerted, and managed.
Better communication between the two sides of security should be capitalized upon. Too often it is an “us against them” situation. The goal of security is to improve the overall security posture of the organization. Purple teaming can take advantage of the time the two sides have together to move things forward rather than just testing and sending over a report that may or may not be acted upon.
User Awareness Training
The need for User Awareness Training is evergreen. The technology landscape changes, consumer choices change, user behaviors change. Existing employees and new employees all need ongoing security awareness training. User fatigue and user trust are two of the key issues. Users tire of the hype cycle around security issues; they become numb to the risk, especially if they have no first-hand experience. Employees are online longer, being exposed to “drive-by downloads” on websites. They trust the “friendly fire” emails forwarded from co-workers, friends, and family that beg them to open, read, and click on links. And sophisticated hackers are crafting more authentic email, voicemail, and text messages using social network discovery, stolen email addresses or user credentials.
Consider supplementing your program with an active phishing campaign periodically if your user awareness program is a tired PowerPoint deck or a policy acknowledgment done once a year or only during employee onboarding. According to the Anti-Phishing Work Group 2Q 2014 report[i], the top countries hosting phishing sites were in the US, China, Germany, Turkey, Russian Federation, United Kingdom, France, Netherlands, Poland, and Canada. It is relatively easy to put a phishing email in front of everyone on your system to see which users are too quick to put the firm at risk. You’re internal or external IT experts can likely handle this chore, or it is relatively inexpensive to outsource this kind of system test.
Incident Response Planning
Provisioning an incident response team is an important prevention, detection, and correction planning step. Planning incident response when an incident is occurring is rarely neither productive nor successful. Realize that incident response involves a coordinated communication plan and orchestration of internal and external resources.
- Put in place a trained team to monitor unusual behavior on the company’s systems. Having the capabilities and wherewithal to adequately execute defensive strategies pales in comparison to the investment needed to field offensive strategies. Third party services for monitoring can be acquired as remote service and incident response digital forensics and e-Discovery need to be retained so they are available when necessary.
- Prepare to manage the business impact of an attack on customers, suppliers and operations. Incident response is not the sole domain of security professionals. Rather, it is an exercise in communication to preparedness. International law firms may need to evaluate whether there is a need to update business continuity plans and testing procedures to ensure the firm can sustain a cyber-campaign.
- Evaluate available countermeasures in terms of viability and effectiveness. Vulnerability assessments and Penetration testing are the normal tools to assess the defensive posture of a company’s security environment. Testing that countermeasures are effective requires more time, energy, and realistic conditions. Disaster recovery techniques identify recovery time objectives to ascertain benchmarks for how long an organization’s systems can be down without negatively impacting the business.
- Establish relationships with federal, state, and local cyber security officials as well as federal agencies such as the Department of Homeland Security (DHS), and US Computer Emergency Readiness Team (US-CERT)2. Sharing information about unusual network activity, denial of service attacks, phishing attacks, and quarantined malware provide more parties to be vigilant and coordinate observation of similar malicious activity which may help triangulate the identity of hackers.
- Develop partnerships with key security vendors and systems/communications providers. Understand the technology roadmaps of the key security vendors and systems/communications providers. Opening up a dialogue with those vendors can help identify needs for security patches and co-opt there attention to unusual activity.
- Assure there is an incident response review process. Spending time to understand lessons learned will help to improve future response activities.