top of page
Search
Writer's pictureJustin A.

Ransomware and Breaches - Securing the Modern Organization

Updated: Jul 27

This presentation was delivered in person at TopGolf in Canton in collaboration with vendors StrikeGraph, Quokka, Ridge Security, and Approov. (but don't worry, it's not salesy!) I recorded this for those who missed it, and as a reference for those who attended.


History of Ransomware

A review of the History of Ransomware in Healthcare.

Key points include:

  • Business Continuity and Incident Response planning are vital. Because of the Crowdstrike Cyber Incident, we learn that it's important to have a plan for when you have to manually restore many end user devices.

  • There are often warning signs that it is time to move away from a certain technology or protocol. For example, the Conficker virus exploited SMB shares 8 years prior to the Wannacry attack. This was a warning sign. At MEDITECH we eliminated our use of SMB shares after Conficker which protected our customers when the Wannacry attack exploited a zero day vulnerability in SMB shares.

  • Third parties can be a vector for a cyber-attack, so it is important to:

    • Vet third parties carefully

    • Stipulate before signing the contract any remediation plans you think they should do to correct serious risks

    • Write into the contract the vendor's obligations with regards to incidents caused by them

    • Coordinate with the third party's security team to learn about best practices and to build a relationship



How the Attacks Happen

A review of the typical pattern we see, and a review of the escalation of ransomware over time. Important points include:



A Controversial Question - To Pay or Not to Pay?

This section explores whether or not to pay the ransom, and includes some "war stories." Read more in my posts here:




Data Breaches

We didn't have time to cover this at the event, but this is particularly useful information if you are in a HIPAA regulated entity.




Action Plan



Assess

First, it's important to determine what is critical by doing a Business Impact Analysis.

  • Identify critical systems

  • What is the backup plan if these go down?

  • What is the maximum tolerable downtime?

  • What are the SLAs and RPO/RTO?


Perform a gap assessment to identify such key areas as:

  • Do we have any systems without strong authentication?

  • Can we implement phishing resistant MFA?

  • Have we locked down remote access to servers?


Even a lightweight risk assessment can be beneficial in identifying where our organization is most at risk, and we can back up our assessment with a vulnerability scan and/or penetration test.


Cybersecurity Sprint

  1. Build your security culture - attacks are starting with phishing in most cases. This area need to be addressed better - simple security awareness training is not cutting it. Read more here:https://www.armstrongrisk.com/culture

  2. Implement strong authentication on all systems; consider implementing phishing resistant MFA.

  3. Focus on identity management - hackers are stealing credentials, cracking weak passwords, and relying on massive password dumps.

    1. Set new password requirements

    2. Provide staff with a password vault (such as 1Password)

    3. Educate staff ("don't use password managers in browsers", etc.)

    4. Identify and reset weak passwords

    5. Monitor Identity closely

  4. Lock down your use of remote access tools such as RDP and Screen Connect. Keep them up to date since there have been some major vulnerabilities in these tools recently.

  5. Improve your third party risk management program - go beyond a simple assessment. Really dive into what they do, how they will inform you of incidents, and how you can further protect your interests.

  6. Establish an Incident Preparedness program and run tabletop exercises, more on that here: https://www.armstrongrisk.com/incident-preparedness


Cybersecurity Marathon

Perform a risk assessment - ideally one with quantitative measures - and present to the Executives and the Board. Gain resources and establish your long term strategy.


A key area to consider is how to move off of legacy technologies. These put your organization at significant risk.


Implement an EDR or outsource monitoring to a Managed Security Service Provider (MSSP).


Slide Deck


The video is also available on Youtube as one long video here: https://youtu.be/IZinjiNWqI0


References

Action Plan! Extremely Useful Resources

  1. Ransomware eBook

  2. https://www.cisa.gov/stopransomware - also accessible at www.stopransomware.gov

  3. "Stopping the Attack Cycle at Phase One" (CISA) - https://www.cisa.gov/sites/default/files/2023-10/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One_508c.pdf

  4. "Guide to Securing Remote Access Software" (CISA) - https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf

  5. Black Basta Ransomware - https://www.cisa.gov/news-events/alerts/2024/05/10/cisa-and-partners-release-advisory-black-basta-ransomware

  6. "Identifying and Mitigating Living Off the Land Techniques" (Provided by the Five Eyes Intelligence agencies) - https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques

  7. HIPAA Journal: Cyber Fire Drills for Healthcare - https://www.hipaajournal.com/cyber-fire-drills-for-healthcare/


History of Ransomware in Healthcare

  1. https://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

  2. https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

  3. https://www.healthcareitnews.com/news/how-princeton-community-hospital-survived-global-petya-attack

  4. https://www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_Surge_in_2023.pdf

  5. https://www.bbc.com/news/technology-54692120 - "Therapy patients blackmailed for cash after clinic data breach"

  6. https://www.malwarebytes.com/blog/news/2023/03/breast-cancer-photos-published-by-ransomware-gang

  7. https://www.theregister.com/2024/01/05/swatting_extorion_tactics/

  8. https://www.massgeneral.org/assets/mgh/pdf/emergency-medicine/downtime-toolkit.pdf - "Hospital Preparedness for Unplanned Information Technology Downtime Events" (July 2018 - Mass General Hospital)

  9. Change Healthcare - https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/

  10. https://www.hipaajournal.com/ransomware-groups-data-leak-site-listings-up-20pc-q2-2024/

  11. Crowdstrike Incident - while not a "cyber-attack" it is the responsibility of cybersecurity professionals to manage and prevent such outages to the best of their ability - https://www.hipaajournal.com/faulty-crowdstrike-software-update-major-disruption-healthcare/


Tabletop Exercises

  1. HSEEP - Homeland Security Exercise and Evaluation Program - https://www.fema.gov/emergency-managers/national-preparedness/exercises/hseep

  2. DHS Cyber Tabletop Exercise for the Healthcare Industry (Exercise Materials) - https://www.hsdl.org/c/abstract/?docid=789781

  3. FEMA: Safe Exercise Best Practices - https://www.fema.gov/sites/default/files/documents/fema_safe-exercise-best-practice_06072021.pdf

  4. HSEEP Training Videos - https://www.youtube.com/playlist?list=PL720Kw_OojlJRVI3gQiZzj2g72Ez8ISlA

  5. CISA Tabletop Exercise Packages - https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages

  6. Carnegie Mellon: Guide to Effective Incident Management Communications - https://insights.sei.cmu.edu/library/guide-to-effective-incident-management-communications/

  7. "Crisis Communications - The Definitive Guide to Managing the Message" by Steven Fink


Partnerships and Threat Intelligence

  1. InfraGard - FBI partnership with the private sector - https://www.infragard.org/

  2. The Health-ISAC - https://h-isac.org/

  3. ASPR TRACIE - https://asprtracie.hhs.gov/ 

  4. HIMSS - https://www.himss.org/

  5. HHS Health Sector Cybersecurity Coordination Center (HC3) - Great threat briefs and sector alerts! Be sure to sign up. https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html

  6. Health Sector Coordinating Council Cybersecurity Working Group - Cybersecurity Strategic Plan - https://healthsectorcouncil.org/cyber-strategic-plan/


Contact me for a free consultation via email - Justin@ArmstrongRisk.com - or Calendly.



40 views0 comments

Recent Posts

See All

Comments


bottom of page