Thursday, February 18, 2016

Hackers Hold a California Hospital’s Network Hostage for $3.6 million. Are You Next?

As we have been seeing over the past few years, cyber criminals continue to breach their targets and demand ransom. Most recently, hackers held a California hospital’s network hostage for $3.6 million. Are you or is your organization next? How can you avoid being a victim?

The adversary knows no boundary. Face it, whether you are a tiny organization with one (1) computer or a very large enterprise with 250,000 computers, hackers want you! If you have what they need, they will come after you.

Based upon my real-world experience in network exploitation exercises and data breach investigations, some data breaches have been possible because basic security primitives have not been implemented. What good does it do if a network has layered security at the perimeter with a robust Threat Operations Center (staffed to the gill) if one or few systems that contain sensitive PII/PHI records is not fortified? For example, I have seen scenarios whereby no one in the target organization knows (all the locations) where sensitive data is stored, who has access to the data, who logs into the system, what trust relationship exists between these “sensitive data containers” and the rest of the network. The list of problems goes on and on. Passing HIPAA, PCI, SOX, or other compliance/audit does not necessarily demonstrate good security, in my opinion. Not able to exploit a network during a penetration testing exercise does not necessarily demonstrate that your network has not already been breached.

To avoid being a victim of data breach or to reduce the likelihood of a breach, every system from time to time needs to be combed (breach assessment/readiness) to determine whether or not attackers’ campaign, behavior, indicators, tools and tactics, are active on the target system or enterprise. Once we have a clean slate, we can then fix the pumpkins, like my friend, Ray Vazquez always say, and develop some sort of security roadmap. For any cyber security program to be successful, internal politics must be removed and the most senior leadership (not just the CSO, but CFO, CEO, and COO) should be held culpable for security liability. I believe that if the head of Security reports directly to the CEO or Legal, majority of the security breaches will go away.