[BreachExchange] Using Layered Security for Evolving Cybersecurity Threats

[Audrey McNeil]

http://healthitsecurity.com/news/using-layered-security-
for-evolving-cybersecurity-threats

The healthcare industry possesses large amounts of sensitive information,
yet is consistently vulnerable to the evolving cybersecurity threats.
Refusing to adapt to the changing threat landscape, and work to implement a
layered security approach can prove especially devastating, according to a
recent Institute for Critical Infrastructure Technology (ICIT) report.

“Your Life, Repackaged and Resold: The Deep Web Exploitation of Health
Sector Breach Victims” discusses how healthcare data breach victims are
often affected for quite some time post-breach. Additionally, executives
often make “budget-line decisions that shift the risk of compromise onto
the patients,” which could then put their personal data at risk

ICIT Co-founder and Senior Fellow James Scott was one of the report’s
authors, and told HealthITSecurity.com that it was important to see what
happens after the initial healthcare data breach. ICIT wanted to “paint the
picture” for the events after an attack and how patients are potentially
affected.

“When somebody gets into your network, they exfiltrate information,” Scott
said. “Now they have a treasure trove of data. How is that marketed? What
are they using it for? What should victims know about what they’re in for?”

Patients will often feel the long-term effects of healthcare data breaches,
even though they did not determine how their data was going to be stored or
transferred. Healthcare organizations cannot cut cybersecurity budgets,
procrastinate system updates, postpone medical device updates, or
“Frankenstein” medical devices.

When health data is stolen, it could end up on Deep Web markets. Scott
explained that cyber attackers can fuel their business for an entire decade
from one breach.

Researchers first navigated the general marketplaces on the Deep Web and
found that basic slang terms are used to advertise the stolen information.
In the more private forums, there is terminology unique to that particular
forum. This is done so individuals who come in for surveillance cannot
immediately figure out what is being discussed and what is actually for
sale, Scott noted.

“Somebody that wants to have longevity on the Dark Web as a broker of
information, the last thing they want to do is draw unnecessary attention
to themselves in an already highly vulnerable situation,” Scott said.

For example, instead of saying that they have all of the PII from a
particular breach, the hackers will break up the information into short
form PII. They will release just enough for identity theft but might not
say where it is from. Over time, another batch of information will be sold,
with a little more data involved.

“After a breach, what we saw was that you can have one individual that
didn’t even have a successful breach, but they maybe stole 100,000 records
that can fuel their business for the next decade,” Scott stressed. “That’s
the kind of optimized monetary gain that these guys are looking for within
a breach.”

Another key discovery from the ICIT research was that the attacker might
set up beach heads for future attacks, according to Scott. This can help
create a type of remote access Trojan on a vulnerable device that has
perhaps been “Frankensteined” into the IoT microcosm. With no end point
security for that device, it could make the entire network vulnerable.

“They’ll use that as their rat where they can log in, log out, sell access
as a service, or they can even use a new ransomware variant or malware when
one comes out,” explained Scott.

Key report takeaways for healthcare organizations

Healthcare ransomware is simply the latest cybersecurity threat for the
industry, Scott maintained. It should not be the only aspect that
healthcare organizations are focusing on when creating data security
measures.

“The layers of security are the only things that will save them from a
layered attack,” he reiterated. “And they have to look at how an attack
will actually happen.”

For example, an initial DDoS or ransomware attack might bring in security
people to investigate the machine or device and try to assess the damage.
However, that device should be quarantined, and the entity should then
immediately view network activity, Scott explained.

“You’re looking at multi-factor authentication and user behavior analytics
to detect abnormalities in an infected machine,” he said. “That is where
the adversary is trying to move laterally from that machine and then
elevate privileges to map the system and find the treasure troves [of
data].”

A security operations team will also be greatly beneficial, and will likely
know more than just the IT guy, he added. The security operations team can
know where the threats will start looking for data, and they can pinpoint
those vulnerable areas of the IoT microcosm and begin to immediately shut
them down.

“This time last year, end point security and cybersecurity were only
expected to detect and respond,” Scott stated. “But now, with the mutating
hash and the metamorphic signature of malware and malicious code, you have
to have artificial intelligence that predicts [potential attacks].”

It is also essential for healthcare entities to have cybersecurity
expertise at the C-suite level. If hospitals or healthcare organizations do
not have a “real red team expert that knows how to hack” or can put
together a breach scenario, then those organizations have become
lackadaisical, Scott maintained.

Healthcare organizations should also consider how they are storing
information, Scott warned. If a hospital keeps all of its data on one
server that is not properly siloed, that could be a huge payload for a
cyber attacker.

“It’s going to take a lot of time and real interest for them to keep trying
to seek out where the next data treasure trove is,” he explained. “They’ll
have to go through a whole new layer of encryption, or even through a whole
new layer of analytics that might detect when there’s abnormal network
activity.”

Overall, healthcare organizations need to understand that the real target
in these types of attacks is individuals’ health data. It is no longer
acceptable to simply say “We were spear phished,” “We’re working with local
law enforcement,” or “We’re giving you a year’s worth of ID theft coverage.”

“There’s a fine line now with health sector organizations where at the end
of the day post breach, they still feel that they can justify the breach
and the pure dismantling of these people’s lives who have been victimized
and will continue to be re-victimized,” Scott said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161018/8046d969/attachment.html>