A recent high profile ransomware attacks at Ho11ywood Presbyterian has lessons for organization in healthcare and elsewhere. This organization is but one of the hundreds of thousands that have fallen victim to this type of malware. Ransomware is a particularly pernicious type of malware that encrypts the data of the infected device and demands a ransom be paid for access to that data. According to security vendor Kaspersky more than 170,000 ransomware infections occurred in 2015 alone. The damage to this firm in particular was quite grave.
Hollywood Presbyterian Medica1 Center was infected with ransomware that had its entire network offline for more than a week. Cybercriminals demanded a ransom of $17,000 to obtain the decryption key. This ransomware took out the CT scan system, lab, pharmacy, email and network in general. The medical center was reduced to working with pen and paper. Total losses were undoubted in the millions of dollars. Unfortunately there were many failings in this healthcare organization that allowed this to happen. Any modern healthcare CIO, CISO or CEO should take heed of the lessons of this ransomware attack. Among them were failures to deploy the proper security technologies, failed processes, inadequate training and lack of proper disaster recovery (among others.) Sadly this is far from uncommon in the IT world. It is clear this type of attack was targeted or APT (advanced persistent threat) that was orchestrated over time by skilled cybercriminals. Before we explore further lets explore how ransomware infects in the first place.
How Ransomware Infects
Ransomware infects a host the same way other malware often does. It could be a suspect email with an infected email attachment, a phishing email, a social media link or even a malicious online advertisement. Multiple vectors, lack of IT and staff training, improper process bring a multitude of risks to the fore. Infection can happen to even the best prepared organizations but its important to prepare with the right people, process and technology.
How to Stop Ransomware
Like most any complex IT problem there is no single technology, process or magic bullet to solve the issue of ransomware. Instead a variety of coordinated efforts can minimize but not eliminate the risk. Defense in depth or a mult-layered defense is the only solution. Let’s explore how your organization can stop ransomware.
End User Training
Most often organizations end users can be the weakest link in securing their organization. Employees are often not trained at all in how to operate technology in a secure fashion. This puts organizations and their livelihood at risk. Training your staff to engage in secure computing and think before the click is vital. I’ve been a long time proponent of this end user security training and seen it dramatically improve organizations security postures.
Backup Your Data
Backup your data to disk, and internet backup (encrypted in transit and at rest). At least 2 forms of backup one local and one remote is important. Businesses should always have automated and managed backup services to ensure they have an option to recover should an unfortunate situation arise. This should be a part of any disaster recovery and business continuity efforts.
Disaster Recovery Planning
Disaster recovery planning is an imperative process. I say process because it is an ongoing process, not a single static effort. Many organizations don’t do it properly and some – not at all. Disaster recovery isn’t just backing up your data but planning, documenting and testing it as well. Without a plan you can be assured of failure. Proper disaster recovery planning will keep your organization from becoming a ransomware victim.
Best of Breed Anti-Malware
Quality anti-malware is critical in any active defense against ransomware. It can detect and remove ransomware before it becomes a larger problem in your organization. As I’ve written about before, not all anti-malware is equal. Some do a better job than others and they are even scientifically tested as products against their competitors. Your solution should be able to address the multitude of threats by scanning email, web traffic and allow insight into existing risks.
The notion of least privilege is extremely simple. Users should only be given the privilege or access level to a computing resource that they need – no more no less. An average user shouldn’t have administrative access to his or her system. Rather they should have only access to computing resources as required by their job. Deploying least privilege is a proven way to reduce security risks to your enterprise.
Deploy both Software/Hardware Firewall
Most anti-malware suites have a software firewall in them which should be configured to meet your needs and improve your organizations security stance. Additionally, hardware firewalls should always be used. Companies should deploy either a Next Gen Firewall, UTM or proxy solution to filter out known phishing and malware.
Deploy IPS (Intrusion Prevention System) & or SEIM
IPS systems detect malicious activity, log it and attempt to block it. They are a critical piece of any holistic infosec effort. SEIM (Security Information & Event Management) systems give an organization a “birds eye” view of information security related aspects of the systems and networks. These are powerful tools any enterprise can use to improve their security posture as it relates to ransomware or other threats.
Active Patch Management
Patch all of your systems. Companies should have some form of patch management in place to actively patch desktops, servers, networking devices, smartphones, IoT devices – everything. Not doing so leaves known exploits open for the cybercriminal to use against you and your organization.
Regular Security Assessments
Even with all of the best security practices in place vulnerabilities will always remain. This points to the very real need to actively test, find and remediate security vulnerabilities. Regular pentesting by internal or managed security providers can reveal what cybercriminals might otherwise exploit against you.
Chilling Wake Up Call
It is clear why there has been a rise in ransomware – it pays. Cybercriminals know they can identify and exploit poorly secured organizations. These weakness can be in any of the areas we have explored here and then-some. Unless and until business start to take the steps we have outlined here they will be in the cross-hairs of the cybercriminal with means, opportunity and motive. We must be ever vigilant. What are you thoughts or experiences with ransomware. Please do leave a comment below. If this content has been helpful please sign up for our newsletter for updated IT news in your inbox.