[BreachExchange] Utilizing Strong Cyber Hygiene for Ransomware Preparation

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 25 19:07:37 EDT 2017


The WannaCry ransomware attack was a wakeup call for healthcare
organizations across the globe, especially with the UK’s National Health
Service being severely impacted from the attack. This is further proof why
strong cyber hygiene is necessary for entities to properly prepare for a
potential ransomware incident, according to ICIT Co-founder and Senior
Fellow James Scott.

The ransomware pandemic is just going to become worse, Scott said in an
interview with HealthITSecurity.com. Smart cyber hygiene comes down to
seemingly simple things, such as not clicking on email links when you’re
not familiar with who’s sending the email, he explained.

>From an organizational perspective, employees should not be checking
personal social media or surfing the web for personal interests at work,
even during their breaks.

Citing recent ICIT best practices released in the wake of WannaCry, Scott
also maintained it was important to hover the cursor over a link prior to
clicking to ensure that the URL matches the hyperlink. Shortened links,
with applications such as Bitly, could be an easy way for a hacker to try
and get a user to download ransomware, he said.

“When it comes to exploits, such as malware, healthcare is the most
vulnerable and sought after to exploit,” Scott warned. “A lot of
organizations don’t even know where their data is. They’re not using
encryption, they’re not bringing data into silos – they still have one
massive treasure trove of health records.”

Healthcare organizations must remember the basics, he explained. This
includes user behavior analytics, which is a mandatory pre-requisite to
guarding against situations such as a hacker who spear phished an employee
with a key logger. From there, the hacker can record the employee’s key
strokes, gain the user credentials for access and move laterally throughout
the network to gather intelligence.

“We’re going to see more with ransomware, more of a compiled payload,”
Scott cautioned. “It’s not just going to be ransom, it’s going to have
things like screen capture, network mapping capabilities, Trojans, etc.”

“It’s going to get more sophisticated,” he continued. “Again, the most
vulnerable and easily exploited critical infrastructure silo is the health
sector, which means that’s where these new compiles of ransomware payloads
are going to be tested.”

The WannaCry ransomware attack was all the more dangerous because it was a
ransomware worm, Scott explained. It self-replicates, meaning that it’s
going to parasitically intertwine itself throughout the network.

“It’s kind of like a seek-and-ransom for everything that is connected to
that computer,” he said.

Failing to have data backed up is one of the first mistakes healthcare
organizations can make with ransomware, Scott warned. Backing up data in
real time is critical, but entities must also be sophisticated enough to
have a disconnect.

Individual files and the entire PC should be backed up. There should also
be a system image, which is a snapshot of all the files and applications on
a system at a particular time.

“It’s not enough to just back up your data in real time,” Scott maintained.
“You have to have an auto disconnect of that external server or hard drive
because a worm will find its way in to that backup system.”

Essentially, cyber hygiene must evolve.

The WannaCry strain also capitalized off of an operating system that was
lacking updates and patches, he pointed out. Microsoft’s EternalBlue OS now
has necessary updates available, but organizations must remain current on
all available patches and updates for operating systems and applications.

“If you’re using Excel, anything Microsoft, the second an update comes, you
have to do it,” Scott advised. “Now more than ever with their vendor
relationships, healthcare organizations have to have cybersecurity and
updates scheduled, such as a software or patch schedule built into that
contract. Some healthcare organizations are starting to do that now, but if
they’re not they definitely should be.”

Another common ransomware debate is whether organizations should pay the
demanded fee or not pay it. Scott observed that it really depends on how
ill prepared an entity was, or what the potential damage may be if they do
not get the information back.

“It’s a 50-50 crap shoot if they’re going to get the data back or not,” he
asserted, adding that terrorist organizations may also benefit from
ransomware money. “At the end of the day, you have to do what you have to
do, but it’s better to just be prepared.”

Healthcare organizations should also understand that ransomware is the new
DDoS, Scott said. When it comes to distracting an organization with an
initial bump, such as the ransomware infiltration itself, everyone becomes
chaotic. Nobody is looking at the network activity, he stated.

“Chances are, especially in healthcare, somebody is going to be in that
network, mapping it, finding the vulnerable places, setting up beachheads
for future attacks, setting up additional kinds of malware – time triggered
ransomware, and Trojans,” he said. “They could also create remote access
through backdoors. They’re going be looking for the treasure troves of
patient health records to try and exfiltrate for sale.”

Once they’ve exhausted a network, they’ll go on forums and sell access as a
service to other attackers,” Scott continued. “Then they start the whole
thing over again. And here the organization thinks, ‘We paid the ransom, we
got this data back, everything is safe and sound.’ What they don’t know is
their network is just pulsating with hacker activity.”

Overall, strong cyber hygiene paired with a layered defense strategy will
go a long way in helping healthcare organizations prepare for a potential
ransomware attack, Scott concluded. No entity can definitively predict such
incidents, but organizations can take critical steps to minimize their
exposure and limit the infection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170525/0b00f9c6/attachment.html>

More information about the BreachExchange mailing list