Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
8/30/2016
1
Ernie Hayden CISSP CEH GICSP(Gold) PSP
Executive Consultant
This Presentation is Proprietary to Securicon, Inc. Any use of this document without express written approval from Securicon is strictly prohibited.
V 0
Today’s O P A – Outcome, Purpose, Actions Cyber & Today’s Health Care Sector Data Breaches Ransomware Recommended Actions:◦ Preparation◦ Response/Reaction
Q&A References
1
2
The proper pronunciation of…
Tinnitus?
8/30/2016
2
Outcome:◦ Overview Healthcare Industry Data Security
Situation Purpose:◦ Educate Attendees on Causes, Drivers and
Responses to Ransomware and Data Breaches Actions:◦ Discuss Data Breaches◦ Discuss Ransomware◦ Review Prevention/Preparation Activities◦ Discuss Recommended ways to Respond
3
4
The Industry is Under Attack◦ Ransomware Extortion◦ Denial of Service Extortion◦ Medical Record Theft Fraud
Ponemon Institute Study (April 2016)◦ Breaches $6.2 B cost◦ Cost per Record: Healthcare: $355 Education $246 Finance $221
5
2015: Healthcare had the highest rate of data
breaches vs. any other industry -- IBM
8/30/2016
3
48% Malicious or Criminal Attack 25% Negligent Employees or Contractors
(Human Factor) 27% System Errors – IT and Business
Process
6
60+ % of Healthcare Organizations & Business Associates Believe they are More Vulnerable to a Data Breach than Other Industries -- Ponemon
Fraud –◦ Patient Information is Valuable to Identity Thieves
Data Availability Needs◦ Healthcare providers need access to patient
histories, directives, etc. to be able to respond to the patient – Think “Emergency Environment”
Heavy Reliance on Electronic Healthcare Records◦ Computers/workstations, Internet access, heavy
reliance on databases – makes for “perfect” target for cybercriminals
7
Remember: It is About Money! 2015: >$24M collected in >2,400 Reported
Ransomware Attacks (FBI) Healthcare:◦ Easy Targets – Only Security Focus is on HIPAA –
Not on Medical Device or Webpage Security (e.g..)◦ Disruption in a Hospital May Mean Life or Death
8
“Without quick access to drug histories, surgery directives and other information, patient care can
get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that
could result in death or lawsuits.”Kim Zetter, Wired Magazine
8/30/2016
4
9
10
State Data Breach Laws
Friendly, Local Healthcare Information Security Officer
HIPAA BREACH:◦ An impermissible use or disclosure under the
Privacy Rule that compromises the security or privacy of the protected health information. ◦ An impermissible use or disclosure of protected
health information is presumed to be a breach unless demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment
11
http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
8/30/2016
5
BREACH – STATE DATA BREACH LAWS (47 States) "personal information“◦ First Name or First Initial PLUS Last Name PLUS: (a) Social security number; (b) Driver's license number; or (c) Account number or credit or debit card number, in
combination with any required security code, access code, or password that would permit access to an individual's financial account.
"personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Exception to notification: Encrypted Records
12
Reference: State of Washington RCW 19.255.010
13
Source: Gartner
14
8/30/2016
6
Ransomware a form of malicious software that restricts the user’s access to their device or data in some way and demands a ransom payment in exchange for lifting the restriction.
Crypto-ransomware specifically encrypts the files on the victim’s machine, typically gives a time limit by which the victim must pay a fee to decrypt the files…or else!
Lockscreen Ransomware Locks screen and demands payment – no files encrypted
Master Boot Record Ransomware (MBR) Computer won’t boot, Ransom displayed on Screen
15
First Ransomware 2005
Ransomware Extortion Type of malware that attempts to extort
money from a computer user/company by:◦ Infecting or Taking Control of the Computer or the
Files on it◦ Prevents you from (one or more): Accessing Windows and or Other Devices Encrypts Files So You Can’t Use Them Stops Certain Apps from Running Blocks access to backup repositories
16
Via Email (Phishing) as an Attached File◦ .doc, .pdf, .zip◦ Tricks User into Opening File
Via Email (Phishing) as a Malicious Link Via Compromised Website (Watering Hole
Attack)◦ Download Payload of Exploit Kit◦ Redirected to Malicious Site
17
8/30/2016
7
Malicious Code Infection◦ Downloads an .exe which installs the ransomware
itself Malicious Payload Staging◦ Ransomware sets up, embeds itself in a system
Scanning◦ Searches for content to encrypt◦ Looks on Local Computer, Network Accessible
Resources and even Cloud Resources (e.g.., Dropbox)
Encryption Ransom Note Generation
18
Recommend: Exabeam The Anatomy of a Ransomware Attack
19
4,000 Daily Ransomware Attacks since Early 2016 300% Increase Over the 1,000 Daily Attacks Reported in 2015
(US Govt Interagency Document)
https://www.nsoit.com/Images/SecurityNews/Ransomware-Roundup-Courtesy-of-Proofpoint-(dot)-
com-80pct.png
6 Reported Ransomware Attacks on Healthcare Organizations in US, Affecting 15+ Hospitals from January – April 2016
Hollywood Presbyterian Medical Center, Los Angeles◦ Locky Ransomware Variant◦ Offline for > 1 Week◦ Paid Ransom (~ $17,000 in Bitcoin)
Methodist Hospital, Henderson, Kentucky◦ Did not pay ransom◦ Restored data from backups
20
8/30/2016
8
21
Recommended Reading:◦ Ransomware Hostage
Rescue Manual https://info.knowbe4.com/ransomware-hostage-rescue-manual-0◦ Ransomware (FBI Trifold) https://www.fbi.gov/about-
us/investigate/cyber/ransomware-brochure
Approaches:◦ Prevention◦ Response
22
First Line of Defense - Users◦ Educate Your Personnel Employees, Vendors, Contractors, Volunteers◦ Conduct Simulated Phishing Attacks – Learn from
Your Team’s Mistakes◦ Manage Use of Privileged Accounts (e.g., Admin)
Based on Principle of Least Privilege
23
8/30/2016
9
Software◦ Ensure You are Using a Firewall – Block Known
Malicious IP Addresses◦ Implement Anti-Spam/Anti-Phishing◦ Ensure All Machines Have Up-to-Date Antivirus Better: Include Application Whitelisting, Heuristics◦ Implement Highly Disciplined and Timely Patching Applications and Operating Systems◦ Disable Macro Scripts from Office Files Transmitted
Via Email◦ Scan Incoming/Outgoing Emails to Detect Threats
and Filter Executable Files from Reaching End Users
24
Backups◦ Implement a Backup Solution Software of Hardware-Based (or Both)◦ Ensure All Possible Data You Need to Access or Save
is Backed Up Include USB/mobile Storage◦ Ensure Your Data is Safe, Redundant and Easily
Accessible Once Backed Up Ensure Backups NOT Connected Permanently to
Computers and Networks Backing Up◦ Regularly Test Recovery Function of Backup/Restore
Procedures Test Data Integrity of Physical Backups
25
26
8/30/2016
10
Step 1: Immediate Response◦ Disconnect Everything Unplug Computer from Network DO NOT TURN OFF!
Turn Off Wireless Functionality (Wi-Fi, Bluetooth, NFC) Do Not Erase/Scrub/Wipe/Scan or Clean
Until a Forensic Image is Complete◦ Implement Cyber Emergency Response Plan
27
Step 2: Determine Scope of Infection◦ Mapped or Shared Drives?◦ Mapped or Shared Folders from Other
Computers?◦ Network Storage Devices of Any Kind?◦ External Hard Drives?◦ USB Storage Devices of Any Kind (USB Sticks,
Attached Phones, Cameras)◦ Cloud-based Storage (Drop Box, Google Drive,
etc.)
28
Step 3: Determine Ransomware Strain◦ www.bleepingcomputer.com (good start)◦ Anti-virus Vendor◦ FBI/Law Enforcement
29
8/30/2016
11
Step 4: Evaluate Your Responses◦ Notify FBI Field Office FBI Recommends contacting FBI Field Office
Immediately (Alternative US Secret Service)◦ Restore from a Recent (Uncontaminated)
Backup◦ Decrypt Files Using 3rd Party Decryption (Low
Chance)◦ Do Nothing Lose Your Data◦ Negotiate Pay the Ransom
30
“The FBI does not support paying a ransom to the adversary.”
FBI Ransomware Tri-Fold
Step 5:◦ Restore Systems to Normal◦ Ensure Malware is Entirely Removed – Even
from Old Backups/Backups of Backups, etc.◦ Conduct After-Action Review◦ Take Action on Lessons Learned
31
32
8/30/2016
12
33
Direct Costs:• Customer Breach
Notifications• Post-Breach Customer
Protection• Regulatory Compliance
(Fines)• PR/Crisis Communications• Attorney Fees/Litigation• Cybersecurity
Improvements• Technical Investigations
Hidden Costs:• Insurance Premium
Increases• Increased Cost to Raise
Debt• Operational Disruption or
Destruction• Lost Value of Customer
Relationships• Value of Lost Contract
Revenue• Devalued Trade Name• Loss of Intellectual Property
34
35
Ernie Hayden CISSP CEH GICSP (Gold) PSP
Executive Consultant
425‐765‐1400
8/30/2016
13
36
Slides 5-6: Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data http://www.ponemon.org/library/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data-1
Slide 8: Why Hospitals are the Perfect Targets for Ransomware https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/
Slide 18: Exabeam – The Anatomy of a Ransomware Attack http://info.exabeam.com/lp-the-anatomy-of-a-ransomware-attack
37
Slide 21: NIST Computer Security Incident Handling Guide SP800-61 R2 http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf
Slide 22: Ransomware Hostage Rescue Manual https://info.knowbe4.com/ransomware-hostage-rescue-manual-0
Slide 22: Ransomware (FBI Trifold) https://www.fbi.gov/about-us/investigate/cyber/ransomware-brochure
38
Slide 32: Deloitte Identifies 14 Business Impacts of a Cyber Attack http://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/deloitte-identifies-14-business-impacts-of-a-cyberattack.html
8/30/2016
14
Evaluating the Customer Journey of Crypto-Ransomware and the Paradox Behind It, F-Secure, https://fsecureconsumer.files.wordpress.com/2016/07/customer_journey_of_crypto-ransomware_f-secure.pdf
Fact Sheet: Ransomware and HIPAA, Department of Health & Human Services http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
How to Protect Your Networks from Ransomware, U.S. Government Interagency Technical Guidance Document, https://www.justice.gov/criminal-ccips/file/872771/download
Ransomware: All Locked Up and No Place to Go, Kaspersky Labs, http://research.crn.com/content57793
39