How to stop ransomware: It's really not that complicated
Ransomware. The word itself is scary enough, let alone the glimpse of just how damaging such attacks could be that the world saw in WannaCry and NotPetya during May and June. But cybersecurity experts counter that ransomware shouldn’t actually be so overwhelming to information security professionals -- if they adhere to simple best practices.
For starters, backup files are crucial and those should be both encrypted and kept offline -- separate from the main network, according to Engin Kirda, professor of electrical and computer engineering and computer and information science at Northeastern University.
Lee Kim, HIMSS’ director of privacy and security said the real problem is that hospitals are often stuck running outdated, legacy systems. And even keeping pace with software patches is not always completely effective. Both NotPetya and WannaCry, for instance, leveraged vulnerabilities in these legacy systems.
In fact, Kim explained that when hospitals system must run these outdated systems, including those upon which medical devices are built, it’s necessary to make sure the ports of entry are as closed off as possible.
“If an organization needs to run these systems, shelter the technology from the outside world and segment it from the network,” Lee said. “It’s always best practice to segment the network and not make it possible for one hacker to get in and pivot around your system.”
After patching, segmenting and software needs, Kim said that hospitals can increase defenses with pen testing, which actively scans the system or network for exploitable vulnerabilities.
“I can’t think of a better way to be prepared,” said Kim. “[Pen testing] should be done not just once in a blue moon, it needs to be done regularly.
Hospitals should authorize the testing with a vendor or security employee with experience to ensure there are no disruptions due to high traffic.
Risk assessments can also help reveal weaknesses and build defenses.
“We want to make things more difficult for the attackers and reduce the volume of attacks,” she said.
Not surprisingly, the crux of the ransomware issue boils down to the biggest weakness to all networks: the user.
It’s a simple technique, hackers craft emails and trick users into action, Kirda said. “It’s just that some users don’t understand ransomware, and they end up doing things that allow a successful attack.”
So phishing training is critical, explained Kim. “It’s the adage of you’re only as strong as your weakest link. You can’t ignore teaching employees what to do and what not to do.”
Fortunately, there’s a lot that can be done with the human element. Naturally, employees should be trained to be cautious about opening attachments. “For an attack to be successful,” Kim said, “they just need a door or one hole to squeeze through.”
Some organizations are also labeling email as external, which can help employees determine the validity of an email sent supposedly from a member within the company. IT can add it to the bottom of every email in red. If an email is sent from outside it will push through the designated filter and notify the user it’s from an outside party.
Anti-phishing, user education and clearly marking emails as external or internal are basic blocking and tackling that can go a long way to thwarting attacks. Kim also recommended seeking outside help when you need it.
“Study up or hire someone experienced in cybersecurity,” Kim said. There are plenty of ethical hacking pointers available online, and “yet there are so many health organizations vulnerable to attacks. It’s really a twilight zone experience.”
Ultimately, the issue lies with infosec professionals explaining why cybersecurity needs to be at the forefront of budget discussions and planning -- because it’s a safe bet that the attacks will keep on coming due to profitability.
“Healthcare is low-hanging fruit,” Kim said. “That’s the unfortunate reality: the dragon is at the door.”