Security survey shows a shift in most-attacked business sectors
Health care is No. 1, but breach numbers should raise alarms for all companies
By Rodika Tollefson, ThirdCertainty
Cyber criminals are continuing their relentless assault on the health care sector, extending a pattern of attacks that hit record levels last year.
The latest evidence: Security vendor Solutionary said July 26 that nine out of 10 ransomware attacks it detected in the second quarter of 2016 were directed at health care organizations.
Those findings reinforce a recent IBM report showing the health care industry rising from obscurity to become, by far, the most targeted sector for all types of cyber attacks in 2015.
Threat landscape changes
IBM’s comprehensive 2016 Cyber Security Intelligence Index, released last month, also disclosed the overall number of attacks is up, and that insiders are proving to be a profound risk.
- IBM compiled its findings based on continuous monitoring of billions of events reported over a 12-month period by more than 8,000 client devices in over 100 countries. Big Blue established that in 2015, health care rose to the top among the most-attacked industries, followed by manufacturing, financial services, government and transportation.
- There were 64 percent more security incidents flushed out in 2015 than in 2014, thanks to improvements in detection and policy refinement.
- Some 60 percent of attacks were caused by insiders, sometimes making mistakes, but very often acting maliciously.
The IBM report notes that cyber criminals branched out in a big way in 2015 from being motivated by financial gain alone to “inflicting physical damage, stealing intellectual property, and lodging political protests.”
Related: Ransomware purveyors go for big fish
Some security experts say the IBM findings don’t necessarily reflect any dramatic shifts in the core motivation of criminals. What’s changing are the availability and adoption of systems for monitoring network activity, observes Ryan Hohimer, co-founder and CTO of DarkLight Cyber, a supplier of security automation systems.
The new tools are making more granular analysis routine. “We’re understanding the nature of the bad guys’ activities … and we’re getting a much clearer picture of who the bad actors are and what it is they’re doing,” Hohimer says.
“To truly understand what’s happening,” he says, “you need to understand the network and traffic, you need to be cognizant of threat intelligence, and you need to understand your organization so you can make sense of the traffic and spot anomalies.”
Steve Bongardt, a former FBI profiler who now works as a cybersecurity expert, agrees.
Get an outside perspective
Cutting-edge behavioral analysis systems can provide actionable visibility into corporate networks, says Bongardt, who is now vice president of security consulting services at Fidelis Cybersecurity.
Bongardt tells ThirdCertainty that he sees many clients investing heavily into “building the height of their wall” but not understanding what’s actually going on inside—where the data is coming from and going, who has access and so on.
That’s why he recommends any organization, “whether your information security group is one person or 1,000 people,” periodically undergo audits by a third party.
“It’s very, very difficult for anyone to look at themselves and get an objective perspective,” he says. “It takes a third party to come in and see what’s missing.”
One such perspective comes from Solutionary, which supplies managed security services to corporate clients. Recently, the vendor announced its Security Engineering Research Team’s quarterly threat report.
In April through June of this year, ransomware turned up in spades—primarily directed against the health care sector.
Ransomware is cyber extortion. Typically in such capers, the attacker encrypts the victim’s data, and demands a payment to restore access.
The Solutionary SERT update shows that the health care industry accounted for 88 percent of ransomware detections in the second quarter of this year. Education and financial institutions also were targeted.
“Health care organizations use an abundance of systems and devices that are crucial pivot points for an attacker,” says Rob Kraus, director of research for Solutionary’s SERT group.
Forewarned is forearmed
The continuing ransomware rampage underscores the importance of having a robust backup and recovery process, as well as up-to-date security software and vulnerability patch management, security experts say.
Jonathan Couch, vice president of strategy at ThreatQuotient, a supplier of threat intelligence systems, says he expects to see an evolution of ransomware.
“As organizations learn how to protect themselves better against ransomware attacks, the adversary will develop new ways to manipulate and hold captive a user’s or an organization’s data,” Couch says.
Meanwhile, the rise of all types of attacks should be a wake-up call for information security executives at companies in all sectors.
New data-loss prevention technologies are providing “much greater insight into what insiders are doing on the network and potential attacks,” Couch says.
Some organizations have started to implement programs to mitigate insider threats, and in most cases, these are related to user privileges and role-based authentication. More advanced programs, however, would require additional monitoring to detect abuse, Couch says.
“The big issue is that this level of security and monitoring can be very costly and requires dedicated resources that a security operations group may not have,” he says.
Biggest threats come from within
Fidelis’ Bongardt says the tendency to view employees through a cultural lens often comes into play.
“It’s difficult to see, sometimes, that we’ve given trust to someone who is working for our company, and they can be as big a threat, if not more so, because they know our data, where things lie and what’s important,” he says. “It’s one of our blind spots, to not look for the insider threat.”
“One of the things we look at from the profiling perspective is, who is the victim and why is the victim a victim,” Bongardt says. “It’s important to look at the network, what’s valuable and who would want to get it.”
One tool he thinks has potential for insider threats is linguistics, especially for assessing disgruntlement—but, he cautions, it needs to be used in the context of an overall assessment, or else it could become dangerous.
“A balance needs to be set because obviously you don’t want employees to feel like they’re always being monitored and have no freedom on the network,” he says. “On the other hand, it’s something we can’t avoid.”
More stories related to ransomware and health care targets:
Medical records theft is a plague on health care, other industries
As hackers target health care data, sector must get proactive
Your money or your data: Ransomware attacks leave everyone vulnerable
Understanding ransomware helps organizations devise solutions