Security survey shows a shift in most-attacked business sectors

Health care is No. 1, but breach numbers should raise alarms for all companies

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Cyber crim­i­nals are con­tin­u­ing their relent­less assault on the health care sec­tor, extend­ing a pat­tern of attacks that hit record lev­els last year.

The lat­est evi­dence: Secu­ri­ty ven­dor Solu­tion­ary said July 26 that nine out of 10 ran­somware attacks it detect­ed in the sec­ond quar­ter of 2016 were direct­ed at health care orga­ni­za­tions.

Those find­ings rein­force a recent IBM report show­ing the health care indus­try ris­ing from obscu­ri­ty to become, by far, the most tar­get­ed sec­tor for all types of cyber attacks in 2015.

Threat land­scape changes

IBM’s com­pre­hen­sive 2016 Cyber Secu­ri­ty Intel­li­gence Index, released last month, also dis­closed the over­all num­ber of attacks is up, and that insid­ers are prov­ing to be a pro­found risk.

  • IBM com­piled its find­ings based on con­tin­u­ous mon­i­tor­ing of bil­lions of events report­ed over a 12-month peri­od by more than 8,000 client devices in over 100 coun­tries. Big Blue estab­lished that in 2015, health care rose to the top among the most-attacked indus­tries, fol­lowed by man­u­fac­tur­ing, finan­cial ser­vices, gov­ern­ment and trans­porta­tion.
  • There were 64 per­cent more secu­ri­ty inci­dents flushed out in 2015 than in 2014, thanks to improve­ments in detec­tion and pol­i­cy refine­ment.
  • Some 60 per­cent of attacks were caused by insid­ers, some­times mak­ing mis­takes, but very often act­ing mali­cious­ly.

The IBM report notes that cyber crim­i­nals branched out in a big way in 2015 from being moti­vat­ed by finan­cial gain alone to “inflict­ing phys­i­cal dam­age, steal­ing intel­lec­tu­al prop­er­ty, and lodg­ing polit­i­cal protests.”

Relat­ed: Ran­somware pur­vey­ors go for big fish

Some secu­ri­ty experts say the IBM find­ings don’t nec­es­sar­i­ly reflect any dra­mat­ic shifts in the core moti­va­tion of crim­i­nals. What’s chang­ing are the avail­abil­i­ty and adop­tion of sys­tems for mon­i­tor­ing net­work activ­i­ty, observes Ryan Hohimer, co-founder and CTO of Dark­Light Cyber, a sup­pli­er of secu­ri­ty automa­tion sys­tems.

Ryan Hohimer, DarkLight Cyber co-founder and CTO
Ryan Hohimer, Dark­Light Cyber co-founder and CTO

The new tools are mak­ing more gran­u­lar analy­sis rou­tine. “We’re under­stand­ing the nature of the bad guys’ activ­i­ties … and we’re get­ting a much clear­er pic­ture of who the bad actors are and what it is they’re doing,” Hohimer says.

To tru­ly under­stand what’s hap­pen­ing,” he says, “you need to under­stand the net­work and traf­fic, you need to be cog­nizant of threat intel­li­gence, and you need to under­stand your orga­ni­za­tion so you can make sense of the traf­fic and spot anom­alies.”

Steve Bon­gardt, a for­mer FBI pro­fil­er who now works as a cyber­se­cu­ri­ty expert, agrees.

Get an out­side per­spec­tive

Cut­ting-edge behav­ioral analy­sis sys­tems can pro­vide action­able vis­i­bil­i­ty into cor­po­rate net­works, says Bon­gardt, who is now vice pres­i­dent of secu­ri­ty con­sult­ing ser­vices at Fidelis Cyber­se­cu­ri­ty.

Steve Bongardt, Fidelis Cybersecurity vice president of security consulting services
Steve Bon­gardt, Fidelis Cyber­se­cu­ri­ty vice pres­i­dent of secu­ri­ty con­sult­ing ser­vices

Bon­gardt tells Third­Cer­tain­ty that he sees many clients invest­ing heav­i­ly into “build­ing the height of their wall” but not under­stand­ing what’s actu­al­ly going on inside—where the data is com­ing from and going, who has access and so on.

That’s why he rec­om­mends any orga­ni­za­tion, “whether your infor­ma­tion secu­ri­ty group is one per­son or 1,000 peo­ple,” peri­od­i­cal­ly under­go audits by a third par­ty.

It’s very, very dif­fi­cult for any­one to look at them­selves and get an objec­tive per­spec­tive,” he says. “It takes a third par­ty to come in and see what’s miss­ing.”

One such per­spec­tive comes from Solu­tion­ary, which sup­plies man­aged secu­ri­ty ser­vices to cor­po­rate clients. Recent­ly, the ven­dor announced its Secu­ri­ty Engi­neer­ing Research Team’s quar­ter­ly threat report.

In April through June of this year, ran­somware turned up in spades—primarily direct­ed against the health care sec­tor.

Ran­somware is cyber extor­tion. Typ­i­cal­ly in such capers, the attack­er encrypts the victim’s data, and demands a pay­ment to restore access.

The Solu­tion­ary SERT update shows that the health care indus­try account­ed for 88 per­cent of ran­somware detec­tions in the sec­ond quar­ter of this year. Edu­ca­tion and finan­cial insti­tu­tions also were tar­get­ed.

Health care orga­ni­za­tions use an abun­dance of sys­tems and devices that are cru­cial piv­ot points for an attack­er,” says Rob Kraus, direc­tor of research for Solutionary’s SERT group.

Fore­warned is fore­armed

The con­tin­u­ing ran­somware ram­page under­scores the impor­tance of hav­ing a robust back­up and recov­ery process, as well as up-to-date secu­ri­ty soft­ware and vul­ner­a­bil­i­ty patch man­age­ment, secu­ri­ty experts say.

Jonathan Couch, vice pres­i­dent of strat­e­gy at ThreatQuo­tient, a sup­pli­er of threat intel­li­gence sys­tems, says he expects to see an evo­lu­tion of ran­somware.

Jonathan Couch, ThreatQuotient vice president of strategy
Jonathan Couch, ThreatQuo­tient vice pres­i­dent of strat­e­gy

As orga­ni­za­tions learn how to pro­tect them­selves bet­ter against ran­somware attacks, the adver­sary will devel­op new ways to manip­u­late and hold cap­tive a user’s or an organization’s data,” Couch says.

Mean­while, the rise of all types of attacks should be a wake-up call for infor­ma­tion secu­ri­ty exec­u­tives at com­pa­nies in all sec­tors.

New data-loss pre­ven­tion tech­nolo­gies are pro­vid­ing “much greater insight into what insid­ers are doing on the net­work and poten­tial attacks,” Couch says.

Some orga­ni­za­tions have start­ed to imple­ment pro­grams to mit­i­gate insid­er threats, and in most cas­es, these are relat­ed to user priv­i­leges and role-based authen­ti­ca­tion. More advanced pro­grams, how­ev­er, would require addi­tion­al mon­i­tor­ing to detect abuse, Couch says.

The big issue is that this lev­el of secu­ri­ty and mon­i­tor­ing can be very cost­ly and requires ded­i­cat­ed resources that a secu­ri­ty oper­a­tions group may not have,” he says.

Biggest threats come from with­in

Fidelis’ Bon­gardt says the ten­den­cy to view employ­ees through a cul­tur­al lens often comes into play.

It’s dif­fi­cult to see, some­times, that we’ve giv­en trust to some­one who is work­ing for our com­pa­ny, and they can be as big a threat, if not more so, because they know our data, where things lie and what’s impor­tant,” he says. “It’s one of our blind spots, to not look for the insid­er threat.”

One of the things we look at from the pro­fil­ing per­spec­tive is, who is the vic­tim and why is the vic­tim a vic­tim,” Bon­gardt says. “It’s impor­tant to look at the net­work, what’s valu­able and who would want to get it.”

One tool he thinks has poten­tial for insid­er threats is lin­guis­tics, espe­cial­ly for assess­ing disgruntlement—but, he cau­tions, it needs to be used in the con­text of an over­all assess­ment, or else it could become dan­ger­ous.

A bal­ance needs to be set because obvi­ous­ly you don’t want employ­ees to feel like they’re always being mon­i­tored and have no free­dom on the net­work,” he says. “On the oth­er hand, it’s some­thing we can’t avoid.”

More sto­ries relat­ed to ran­somware and health care tar­gets:
Med­ical records theft is a plague on health care, oth­er indus­tries
As hack­ers tar­get health care data, sec­tor must get proac­tive
Your mon­ey or your data: Ran­somware attacks leave every­one vul­ner­a­ble
Under­stand­ing ran­somware helps orga­ni­za­tions devise solu­tions