Ransomware, denial-of-service, data theft and disruption are some of the most common IT-related risks facing healthcare today.
Alex Harrington, co-founder and CEO of SecureCo (Photo provided by SecureCo)
And the consequences can be big – disrupted services, remediation costs, and HIPAA fines for inadequate security of protected health information (PHI).
Many ransomware attackers gain access through social engineering, such as phishing emails – often by tricking employees into providing access credentials. So, organizations focus on training employees against social engineering attacks.
But in doing so, they risk leaving themselves open to the next-largest source of attacks – those that exploit network software vulnerabilities.
As documented in threat frameworks like the Cyber Kill Chain, attackers start with reconnaissance of your system. They do this through automated scans, and any system exposed to the internet may be scanned thousands of times per day. They’re looking for connections between private networks and the public internet – points of entry. They can tell what kind of port it is, the software it is running, and sometimes other critical information such as the operating system.
From that, they can draw inferences about what your vulnerabilities might be. The attackers might know, for example, that a particular type of server has some vulnerabilities made public recently – and they can probe automatically to see if you have installed the patches to fix those vulnerabilities.
Here are five defenses that can help protect your system.
1. Frequent and complete backups, stored separately
The lowly backup remains one of the most critical defenses. If your system gets corrupted by an attack, you should be able to go to a recent stored image of your system, restore that, and then bridge the gap between your backup and the current reality. The upside is that you can often freeze out an attacker and return to operation. The downside is the size of the gap between your backup and the current time, since backup restoration rarely goes as smoothly as it should.
2. Efficient network segmentation
You can often limit the damage a successful attack can do, if you have taken steps to divide your network into smaller, isolated segments. It’s like a series of firewalls inside a building, to prevent the spread of fire. This segmentation must be designed in a way that does not interfere with cooperation among different parts of the organization. This network design prevents other types of attacks too, such as unauthorized access by rogue insiders.
3. Detect and respond systems
Often labeled EDR and XDR systems, these are the business analog to traditional antivirus software for your home computer. They alert your team when there are intrusions or anomalous network activity. By raising the red flag early and often, detect and respond systems allow you to take action to mitigate the damage of an intrusion, and confine the attack to a limited area of your system.
4. Assiduous patching regimen
Software patches and upgrades, while they are intended to fix vulnerabilities, often create an opportunity for hackers. Here’s how this works. When a software update is announced, hackers will reverse engineer the patch to understand the vulnerability it’s intended to fix. Then they’ll move swiftly to carry out attacks based on that newly revealed vulnerability, knowing that many organizations won’t install that patch for months, if at all. A diligent vulnerability management program that prioritizes and expeditiously patches high risk vulnerabilities is essential.
5. Obfuscation helps conceal vulnerabilities
The fifth tool for stopping ransom and other network attacks is designed to prevent attackers from discovering the vulnerable parts of your system, by concealing network ports from reconnaissance scans. Obfuscation technologies can allow you to operate connected network services without the type of exposure that reveals exploitable software or vulnerable network configurations, encouraging threat actors to move on to other easier targets. By not being in the line of fire of attackers, network administrators using obfuscation have far greater time and leeway to apply patches and close vulnerability gaps.
Cybersecurity is constantly evolving, and nothing is foolproof.
None of these five methods can individually solve the ransom attack problem, but working together they can go a long way to keeping your system secure.
Alex Harrington is co-founder and CEO of SecureCo.