Warning banners often work: Here's how hospitals can use them to ward off hackers
A warning banner, as the name might suggest, is one tactic for deterring hackers by literally threatening them with specific sanctions for going any deeper into your network.
As simple as the concept might seem, criminologists published new research that found displaying a warning banner when someone is logging in reduces the frequency of harmful attacks by hackers that infiltrate a system with login credentials of non-administrative users.
Cybercriminals coming in via administrative user accounts is another matter altogether and we’ll come back to that shortly. But first, a look at what warning banners are and when they work best.
A ‘No Trespassing’ sign for hackers
Forty-five percent fewer cyberthieves kept roaming around the networks after encountering a warning banner than hackers who were not exposed to such a message, according to Alexander Testa, a Ph.D. candidate in criminology and criminal justice at the University of Maryland College Park.
“Similarly, the frequency of using commands to manipulate files reduced by over 70 percent among those exposed to the banner,” said Testa, who conducted research on the subject in association with the Crime and Justice Research Alliance and published it in the paper “Illegal File Manipulation on Target Computers.”
The National Institute for Standards and Technology, in fact, suggests that a warning banner include privacy and security notices consistent with federal laws, regulations and executive orders. It should also alert users that they may be monitored, recorded and even audited. What’s more, the notice should state that unauthorized use of the IT network and resources are subject to both civil penalties and criminal prosecution. NIST also recommended setting up the notifications so the user has to take explicit action to move forward.
When users log-in they see the warning banner there much like a No Trespassing sign. And just like No Trespassing signs don’t fend off everyone, hospital CISOs and infosec specialists should know that warning banners won’t scare everyone away either.
Hackers wielding admin creds
Testa’s research determined that, although banners can turn away hackers using non-administrative credentials, they were ineffective against hackers that infiltrate a computer system using login credentials of high-level administrative users, including IT security professionals.
“Administrative credentials provide extra privileges on the computer network, which may increase the benefits for carrying out a criminal act; for instance, monetary gain, revenge and espionage,” he said. “Administrative privileges also provide more opportunities to engage in detection avoidance strategies such as removing files from the attacked system and cleaning computer event logs or special files that record significant events on the computer.”
Therefore, it may be difficult to dissuade trespassers from extensively exploring and changing file permission on the attacked system when the potential benefits from a criminal event are heightened. So if the warning banners do not work in this situation, what can healthcare CIOs and CISOs do to combat this problem?
Testa recommended revising the approach and content in the messages. For instance, running a repeated series of visual warnings instead of a single banner, or changing the language of the warning to issue more severe sanction threats, can help to raise the risk perceptions associated with system trespassing and, ultimately, more effectively stop intruders, he explained.
One piece of the cyber puzzle
Hospital security teams should know that warning banners, while proven to be effective against less-skilled criminals, are just one piece of a much broader cybersecurity strategy.
“Healthcare and other organizations should apply security solutions that were proven to be effective in rigorous scientific studies,” he said. “The implementation of an evidence-based cybersecurity approach is crucial for facilitating more secure cyber environments that could prevent and mitigate the occurrence of trespassing events.”