RANSOMWARE: THE EVIL THAT LURKS

PROBLEM

Ransomware is a malicious piece of software that encrypts a user or company’s ­files. Once encrypted by an attacker it is almost impossible for the victim to regain access to the files without a “decryption” key that is held by the attacker or “file kidnapper”. The “kidnapper” of the file(s) then demands a fee from the company to regain access to its own ­files. Typically, the attacker, sets a short time span -- usually 72 hours or less -- for the infected user or entity to fork over a ransom. (Attackers do not like to leave digital trails and use temporary servers to accomplish their illicit activity). The ransom is usually payable in Bitcoin – an anonymous currency increasingly popular with criminals. The hackers will display some sort of screen or webpage explaining how to pay to unlock the files.

Attackers use phishing emails, unpatched programs, compromised websites, online advertising and free software downloads to infect a user.  However, not only can ransomware encrypt files on a single computer or user, but the software may also be programmed to travel across, say a hospital network, and encrypt any files located on shared network drives. This can lead to a catastrophic situation whereby one infected user can bring an entire company to a halt

Clearly for hospitals and physician practices, losing access to information systems can bring clinical workflows to a crawl and result in significant productivity losses. More dangerously it could lead to serious patient safety concerns e.g. if the attacked system manages a radiological image database critical to the operating room. 

SOLUTION

So what can be done to prevent such attacks from occurring?

  • Perform ongoing user-awareness education: Because most ransomware attacks begin with phishing emails, user awareness is critically important and necessary. For every ten emails sent by attackers, statistics have shown that at least one will be successful. Do not open emails or attachments from unverified or unknown senders.
  • Keep system patches up to date: Many vulnerabilities commonly abused by ransomware can be patched. Keep up to date with patches to operating systems, Java, Adobe Reader, Flash, and applications. Have a patching procedure in place and verify that the patches were applied successfully.
  •  Use great caution when opening attachments: Configure antivirus software to automatically scan all email and instant-message attachments. Make sure email programs do not automatically open attachments or automatically render graphics, and ensure that the preview pane is turned off. .
  • Use advanced tools that allow for behavior analysis and immediate sandboxing of threats. Such tools include gateway anti-malware engines with real time threat intelligence capabilities. These tools have improved considerably in the last two years and can make a big difference. If you don’t have an adequate approach to detecting such malware before they enter your network, consider improving your defenses.
  • Backup your files regularly – ideally in the cloud. This allows you to simply move to a new computer with all your files intact. This is a critical item in your armory to fight ransomware.
  • Make sure that you have an incident response plan that takes into account the specific, crippling nature of Ransomware.

If you have been compromised:

  • Immediately quarantine the computer or workstation. This will prevent some malware from “hopping” to another workstation. (Some exploits have the capability to “listen” in on a network and then propagate through the network connection.)
  • Disable “System Restore” on Windows.
  • Run your anti-malware to scan and remove ransomware-related files. Another way to determine the scope of the infection is to check the operating system registry for any fi­le listings created by the ransomware.
  • Immediately limit end user access to mapped drives on an as needed basis.
  • Note that some ransomware requires extra removal steps such as deleting ransomware files in Windows Recovery Console.

If you are out of options, you may simply have to pay the ransom.  It is an unfortunate predicament but it may be the best practical solution you have. If the ransom demand requires Bitcoin, your first step is to set up an account with what is called a Bitcoin exchange and you will need to purchase some Bitcoin. Time will be of the essence as attackers usually offer short time spans to pay a ransom.

IMPACT

Without both a preventative plan and an adequate pre-defined response capability, one is inviting danger. CIOs and Chief Security Officers should assume that ransomware will eventually infect one or more of their computers.  A solid plan to prevent attacks and a detailed play-book on how to combat ransomware if infected must be in place to minimize and contain damage.

All clouds are gray

“What’s our cloud strategy?” is a common question in IT these days. A somewhat lengthy answer is required. Few technologies have grown as fast as the cloud.  It is a profound shift to have your data – your precious, regulated data – stored not just out of your control, but out of your sight. This change provokes a wide range of responses, from “Never in a thousand years” to “Take my data, please”.  A better reaction might be “Yes, but.” As with many things in life, and certainly in healthcare, the extreme reaction is not the best one.  As tempting as a flat Yes or No answer is, there are important questions to ask when moving your data to the cloud:

Questions to Ask

Why are we doing this? Why are you going to the cloud? Save money, save hours, focus on other priorities, improve performance? Make sure that you’re measuring that metric for a few months, before and after the cutover, to determine if the move to the cloud achieved those goals, or if further refinement of the cloud solution is needed to achieve your goals.

Are we starting small enough? Select a system of minor importance for your first try at a cloud solution, to minimize the pain if you make mistakes, or if the cloud just isn’t right for you. One good option is to backup data to an Amazon S3 instance – so long as you run your old backup system in parallel for a while. Any ancillary, internally used, or otherwise small-footprint application is an excellent choice for your first move to the cloud.

How important is flexibility? If you’re doing a lot of customization on a system, or working closely with its users, or doing any technology work where flexibility, fast response, and being on the leading edge is important, don’t send that to the cloud. Just as you get better driving performance with a more difficult manual transmission than an automatic, you get better technology performance with an on-premise system – at the price of more management overhead.

What is our team’s core competence? If your competitive advantage lies in a system, it is better off in-house then in the cloud. But be careful: often, the competitive advantage isn’t “the system” as a whole, but a smaller slice such as “customer service for system users” or “system performance” or “the proprietary data analysis we do on the system”. In those three cases, cloud hosting could very well make sense.

Can we trust these guys? Not all cloud providers are Amazon or Azure. While those two have the money, the people, and the expertise to secure data, “Joe’s House of Hosting” may not be as reliable.  The smaller the cloud provider, the more due diligence you need to perform:

  • Their financials –will they still be in business at the end of the contract?
  • Their staffing levels – will one or two departures cripple their support team?
  • How redundant is each of their system’s components?
  • How mature are their operational procedures, such as policies and documentation, vulnerability scanning, patching, maintenance, configuration management, monitoring, logging, backup, firewall/IDS management, and access control?
  • Where is my data – in the US, abroad, or “somewhere”? There may be requirements to answer this in a certain way – but regardless, know where your data is.
  • Who can see my data – just us, us and them, or us, them and their sub-contractors? Any sub-contractor should have equal security to the primary vendor, but this is not often the case.
  • Who has seen my data – on their end? It’s easy to pull your own logs; make sure that the vendor is maintaining the access records of their own people.
  • Are they securing the virtual environment? Hopefully they mention, or at least show familiarity with, NIST Special Publication 800-125 “Guide to Security for Full Virtualization Technologies” (an updated version is in draft).  They should also routinely disable unused virtual hardware and hypervisor services, and use the hypervisor to monitor the activity between guest OSes.

Is this cloud more secure (but not perfect)? There’s an old Boy Scout joke of how you don’t need to outrun the bear, you just need to outrun the slowest hiker. Similarly, the cloud provider doesn’t have to be perfect, just an improvement on the security and service that your organization can provide. If too many priorities are bogging down your IT team, outsourcing some of them to the cloud can free up time to focus on the remainder.

What will we still have to do? Sadly, you can’t just turn over the keys and walk away from your cloud hosted solution. There’s still housekeeping you may need to do, such as user administration, activity review, patching, or data management or interface monitoring. A good cloud provider focuses on what they do and doesn’t get drawn into side tasks.

What, precisely, will they do? Following from the above, make very clear what is the cloud provider’s responsibility and what is yours. The provider should be able to tell you, in detail, what they will and won’t do. Which leads to…

Do we have everything in writing? Don’t trust verbal commitments - if it’s not in the contract, it doesn’t exist. A good cloud contract will define, at a minimum, the uptime guarantee, the maximum data loss / Recovery Point Objective, the response time for service calls, and what happens in the event of a vendor’s closing, or the contract ending – see below. And, of course, the latest and greatest in Business Associate Agreements.

What if we’re wrong?  Never make a decision you can’t undo. There’s many reasons that a cloud solution may be tried and found lacking, and you should be prepared to reverse course. In your contract, make sure there are provisions for data return (to you) and data destruction (for them). Be sure to line up an alternate provider, whether on-premise or with another vendor, of similar services. And see that you retain, or can acquire, the technical expertise to undo your decision.

Impact

Trusting someone else with your data is a big step, and can only be justified by big rewards. Simply “moving to the cloud” is liable to cause more problems than it solves. Those rewards can be gained with a thoughtful and vigilant cloud solution, if you do your homework first. 

IT Audits can be both lightweight and effective

Problem

Things fall apart. Entropy gets everyone, in the end, and no sooner has a security feature been implemented than exceptions, and one-offs, and workarounds start to appear, like mushrooms after a rain. A security feature that was well implemented 18 months ago may not still be functioning as you planned. But who has the time to run around checking work that’s already been done? That doesn’t cross anything off the To-Do list, nor does it impress any “what have you done for me today” executives. 

Solution

Yes, time and attention is scarce.  But a well-designed and executed IT audit program will more than repay the effort.  It can both improve your security as well as show executives that your IT shop is continually improving. That said, all audits are not created equal. While each organization will choose very different audit plans, here’s some ideas to keep in mind while choosing what and how to audit:

Select worthwhile controls to audit: The audit’s results should tell you something meaningful about your security. The control that you audit should both have a likelihood of being mis-applied and a security impact if so. For example, auditing physical access to the data center may not be worthwhile, if all badges are promptly returned – so what if someone is still in the access system when they have no badge? On the other hand, a laptop that’s missing encryption may easily slip onto the network, and cause no end of grief when it’s lost. Key controls will vary between organizations, but make sure that you’re auditing a control that makes a difference.

Audit exceptions regularly: It’s very common for workarounds to be granted and forgotten, and to persist long after the need for them has passed. Ideally you have a management group that approves and documents exceptions to policy (such as an obsolete product that can’t handle usernames). But regardless of who grants them, exceptions should be reviewed regularly to determine if the need still exists and the risk is still acceptable.

Audit something you can fix: If your EMR is hosted, there’s little return on auditing the hosting company’s operations – they won’t accept your kind suggestions, however valid. (Unless you make up 40% of their revenue, in which case go ahead). Similarly, auditing physical controls can be an exercise in frustration if you lease your building and have to deal with the landlord.

Audit important controls more often: Many organizations perform continual auditing via Active Directory tools, such that every change to the Domain Administrators group triggers an email. While continuous control monitoring is often a very ambitious goal, the more important a control, the more frequently you should verify that it’s working as planned.

Automate: As mentioned above, audit isn’t glamorous: The more you can automate your audits, the more you can spend on more high-profile initiatives. Where automation isn’t an option, try to plainly document the audit steps and offload it elsewhere, such as Compliance or an intern.

Seek the root cause: Say you find that contractor’s accounts on the VPN are not being terminated promptly. Is the root cause that the user management process is not being executed, or is the root cause a flaw in the process itself? Are tickets to terminate contractors not being acted on, or are they not being created in the first place?  A common root cause of this is poor communication between HR and IT. The distinction between “our process is not being followed” and “our process has gaps” is a vital one to make.

Document your response:  For each audit finding (where the results differed from what you expected) either accept the findings and develop a plan to fix it, reject the findings and record why, or transfer the responsibility to another part of the organization. Most audit findings should have an action plan, a deadline, and a responsible party. Some audit findings should be bumped back on, but only when done by outside groups; if you’re rejecting your own audit findings as low-value, you need to rethink how you’re auditing.

Track trends over time: After the action plan is completed, you should re-audit again, a short time thereafter, to make sure that the fix has taken.  Not just once, but a few times at regular intervals thereafter. After a few instances of a “clean audit”, you can conclude that the particular control is fixed, and audit it less frequently thereafter.

Show your work: At a minimum, an audit program should include an audit plan, which identifies what controls you’ll audit and how frequently; audit procedures, which include how the audit will be performed, what you expect to find, and how to record the results; and an audit response, which includes all findings and your organization’s action plan to fix them. A longitudinal look at a particular control can also be powerful – “Control X had 10 findings four quarters ago, but the three subsequent quarters showed 4, 2, and zero problems”.

Impact

Auditing your controls can prevent a tiny hole in your defenses to sink you; the “I thought we were watching that” syndrome is both organizationally destructive and personally embarrassing. It can also help you find the root cause of problems– you can avoid playing whack-a-mole with problems that continually crop up, and actually find permanent fixes. And if consistently implemented over time, an audit program becomes a powerful tool to show your security improvement to executives and other non-IT audiences.