Look over Here! (While I Steal Your Data over There)
Our Healthcare Symposium speaker Lanny Morrow, EnCE, CTFI speaks about Ransomware Attacks in the following article.
To hear more from him and other great speakers, register for the Healthcare Symposium November 13 at Amegy Bank here.
While the primary motivation of ransomware attacks remains the ransom payment, we’re beginning to see attackers use this tactic as a smokescreen to create chaos within the organization. The ransom payment is just a bonus. Perpetrators make the real money by selling sensitive information on the black market.
How Ransomware Attacks Happen
Ransomware entry methods vary depending on the attack, but most often it is a phishing email that requests access information from an employee, an email carrying malicious code in a file or link, direct access to a system through unpatched vulnerabilities or unprotected administrator accounts. More than 80 percent of breach incidents occurred through unpatched vulnerabilities in which a patch had existed for more than a year before the attack. In almost all cases, ransomware attacks don’t result from technological faults, but human error.
Data Exfiltration
Incident response (IR) protocols set in motion by an attack have clear-cut, rehearsed procedures that team members follow. This begins with “classifying the incident.” Once an attack is classified as ransomware, procedures to handle it are invoked. The hackers are counting on it. While the IR team resolves the ransomware crisis by counting affected systems, classifying the type of malware in play and deciding whether to pay the ransom or restore from backups, the attackers are mapping the system, identifying personally identifiable information (PII), protected health information (PHI) and trade secrets to steal. Any alarms set off by monitoring systems often are mistaken for additional fallout from the ransomware attack. By the time the incident is resolved, the information has already been compromised.
Mitigating Exfiltration
Mitigating data theft isn’t a cybersecurity function, but rather a data and information governance function. The process for protecting your data goes beyond a ransomware heist. Information governance also protects data from accidental disclosures, regulatory slips and blemishes, internal theft and other forms of external data breaches. Consider these steps:
- IT security audits that include cybersecurity risk assessments and penetration testing (pen testing) are critical, as is keeping them updated. Pen testing should be performed by professionals familiar with how hackers think and act. Many pen-testing services merely run vulnerability scans and look for obvious weaknesses. This isn’t how hackers work.
- Have a data and information governance plan. This includes quantifying your data “crown jewels” and protected information such as PII and PHI. Other important information includes confidential or proprietary documents, trade secrets, strategic plans and copyrighted or proprietary software code. Once information is quantified and mapped to its respective locations and handlers, a plan can be created to protect it.
- Taking a complex systems approach to risk helps anticipate “unknown unknowns” in data protection. Because control failures often are the result of a “cascading effect” of failures from multiple components, standard approaches to enterprise risk management (ERM) and cybersecurity that look at individual components in a vacuum aren’t sufficient.
Successfully implementing cybersecurity through a smart blend of controls, technologies and testing will result in a safer environment for your most valuable information.
More about the speaker:
Lanny Morrow, EnCE, CTFI is the senior expert in digital forensics and advanced data mining for BKD’s Forensic & Valuation Services division. He frequently speak and write on both topics, including contributions to university textbooks and the Association of Certified Fraud Examiners’ Fraud Magazine publication. His forensic investigation experience includes Foreign Corrupt Practice Act (FCPA), public corruption, fraud/white collar crimes, corporate espionage and theft of intellectual property.