No matter the industry, cybersecurity will be critical to your organization’s long-term success. In our first Tuesday Tech Talk of the year, Jarrod Daake, our Director of Operations, and Cindy Beach, our Healthcare Consultant, explained the most common causes of breaches, the lifecycle stage of ransomware breaches, and tips to mitigate the risk associated with these breaches before they happen. Here are the key takeaways:
Most Common Causes for Breach
The most common cause of a breach is phishing emails. By definition, a phishing email is a fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. The popularity of this option to try to gain access is due to the ability to do it on a large scale. Hackers are potentially able to send thousands of phishing emails a day and only need one end-user in your organization to take the bait and put your environment at risk. Ultimately, employees are your weakest link, and properly training them to spot these emails is the best way to mitigate that risk.
Some common causes of breaches in healthcare-specific settings such as hospitals or clinics are insecure PHI transmissions and not encrypting the PHI on the servers. PHI or patient health information is the reason most healthcare systems are targeted with these phishing emails due to the vast amount of data housed in the system. Typically, the insecure transmission of data happens through fax or email.
Other common causes of breaches include insecure remote access, weak password policy and enforcement, and device theft. While weak password policy and device theft are typically user errors, creating strict company-wide policies for password and device management is imperative.
Lifecycle of a Ransomware Event
Step 1: Phishing email is sent. This is the easiest form of deployment and casts a wide net for the highest probability of success.
Step 2: User clicks a link, downloads a file, or enters credentials on a compromised site. Once this happens, a remote access tool is installed and the hacker can start to exploit the network.
Step 3: Attacker begins scraping for usernames and passwords. Typically, attackers will listen to network traffic that connects with domain controller accounts
Step 4: Attacker begins cracking encrypted passwords focusing on domain administrator accounts. This step can be performed from 6-8 months to decrypt even the most complex passwords.
Step 5: Attacker begins making their way laterally across the network. This step allows them to get the lay of the land per se. Here they are able to see what kind of data is in the hands and gauge what they can get away with stealing.
Step 6: Attacker begins targeting antivirus and backups. Typically this is the step where they get caught if proper monitoring tools are in place.
Step 7: The attacker executes the ransomware and often utilizes a PowerShell script for maximum speed and damage. PowerShell connects all PCs and servers across the network that executes the script all as one.
Is Your Organization Prepared? – Questions to Ask Your Internal IT
Trust, but verify with your internal IT team that you’re prepared for the worst. Internal IT teams are doing their best, but attackers are typically better than anyone out there defending them. These are the questions you should be asking:
- Do we require multi-factor authentication on all remote access and email?
- What are our recovery options in the event of a disaster?
- Do we have a documented disaster recovery plan?
- If disaster strikes, how quickly can we recover?
- When was the last time our disaster recovery plan was tested?
Tips to Limit Risk
- Ask your IT team the uncomfortable questions above.
- Require multi-factor authentication on remote access and email.
- Train users to identify phishing emails. We use a product called KnowB4, a training platform to educate on what to look for in phishing emails – return address, sender address, language.
- Disable PowerShell and limit scripts with antivirus.
- Have multiple documented recovery options and disaster plans.