Recently, I had the occasion to see firsthand the devastating effects of a serious malware attack that took a majority of a hospital’s systems offline, forcing them to use work arounds to maintain some semblance of operations. The impact before it’s over is likely to be incredibly costly for that organization. Days later we heard the announcement of another hospital taken down by ransomware. And then there was NotPetya which turned out to be a directed denial of service attack designed to destroy the systems and data it infected. There was no magic key to decipher or roll back its effects. All of this just reinforces the need to get more vigilant about our cybersecurity and to just say no to the things that keep us from being secure.
1. Get your head in the game. We have thousands of malware attacks every day, crashing into our perimeters looking for the one mistake we have made, which is all the attackers need to get in. Just in the past few weeks, we saw several hospitals suffer massive ransomware attacks and a worldwide attack of new strain of WannaCry (Petya) that seeks not financial gain, but more sinisterly to destroy systems and data. Organizations hit by this new malware have woken up to the real dark side of hacking – attacks with the sole aim to destroy their systems and their data. Yet many will just say, wow glad that was not us, we dodged another one. The question is will you dodge the next? Will you instead ask IT if that had been us, how would we have fared? Don’t be afraid to say no to those who think cybersecurity is just an IT issue. It’s a leadership issue.
2. Get fanatical about vulnerability management. And I mean all aspects; hardening, patching, configurations, change control, testing…all of it. There is nothing exciting about this work, no one will argue that, but it is critical and those who do not give it attention are destined for excitement…just not the type they bargained for. More than 90% of hacks take advantage of a vulnerability more than one year old. Meaning someone could have patched it, disabled it, closed it, etc. and did not. The attacker only has to get lucky once to find that mistake, whereas we have to get it right all of the time. Maintenance and administration are hugely important to defending the enterprise, we can no longer afford to neglect them. Don’t be afraid to say no to sacrificing maintenance and administration for up time.
3. Get rid of old IT. Obsolete, unsupported software, browsers, operating systems are all magnets for malware. Many of the victims of WannaCry learned this firsthand as they watched the Windows XP systems still deployed in their environments succumb. Refresh schedules have to stay ahead of obsolescence in order to remove this threat. Where that is not possible, we need to employ other means of isolating these systems by separating them from or putting additional protections between them and the network or the Internet. Don’t be afraid to say no to unsafe usage of obsolete IT or to purchases of systems with obsolete software.
4. Get the best defenses. Traditional security technologies have proven they alone are no match for the new attacks being thrown at the enterprise. All you have to do is just look at Mirai, WannaCry, and most recently NotPetya to realize this fact. You need to invest in next generation firewalls, advanced malware detection, email and web gateways, virtual honeypots, and other newer technologies. Investment is necessary. Security costs, but lack of security or no security costs significantly more. Just ask anyone who has been the victim of a serious malware attack. Don’t be afraid to say no to those that say we can do the job with what we have.
5. Get limited. We’ve known forever that the best way to protect something is to limit the number of people who have access to it. That is doubly true for access with elevated privileges. The overwhelming majority of the damaging attacks we’ve witnessed took advantage of weak access practices or exploited someone’s administrative level permissions. That happened because there are too many, they are weakly controlled, and they are not monitored or audited regularly. Employ two-factor authentication on all remote, web and administrative level access. Eliminate all elevated privileges through vaulting. If you can’t do that, then eliminate all administrative access possible and monitor what remains. Don’t be afraid to say no to access for convenience.
6. Get buoyant. The reason a naval vessel can withstand battle is because the ship is compartmented. Each compartment can be sealed off to stop the impact of the damage to another. Networks employ a concept called segmentation that can achieve this same effect when attacked, but only if that segmentation is real. Simply deploying VLANs does not segment the network securely. We need to start deploying access controls on segments, use segmentation firewalls and better configuration of network devices managing traffic. With the right technologies, detecting events, and the right segmentation, we can stop, isolate and limit the impact of attacks to protect critical assets and information. Don’t be afraid to say no to just doing it the easy way.
7. Get everything backed up. When we talk about backing things up, we often focus on the data alone, which is a huge mistake as many are learning. We also think of backups as having an electronic copy of information on a system. We need to redefine our definition of backup to include everything we need to reconstitute the enterprise, baseline images, configurations, current applications and the data. Secondly, we need to make sure that we have a copy that is air gapped from the rest of the enterprise so that when the unthinkable happens, we have what we need to rebuild. Many victims of malware attacks have had to rebuild from the bare metal, meaning reloading the basic operating system, reloading applications, reapplying configurations and reloading data. Not having up to date information about any aspect of the current environment can grind that recovery process to slow pace. Don’t be afraid to say no to those who say we can’t take something offline long enough to back up.
8. Actively monitor. The computing environment that we operate in today generates millions of log events per day, week, and month depending on the size of the organization involved, but regardless of where you fit it, it is not possible for your staff to monitor this activity manually. This is an area where organizations need to seek out a partner, a professional SOC capable of monitoring, alerting and providing early warning - often hours before an event will likely affect you. This is not something most healthcare organizations can do effectively even with tools. Don’t be afraid to say no to unrealistic expectations.
9. Get organized. Fire drills have never particularly been anyone’s favorite activity, but well organized ones that end quickly or ones that worked in a real crisis were appreciated and made a difference. Responding to cyber incidents is no different. You need a process, you need people who know how to run it, you need the right equipment to support them, you need a communications plan, you need the right responders, you need to stop the event, isolate the intruder/infection, analyze/investigate the cause, eliminate the attacker, restore the enterprise and all the while continue to operate. This will not happen by accident. Plan, train, exercise, perform, learn. Don’t be afraid to say no to those who say we don’t have time to practice.
Get confident. Create the cybersecurity strategy that gives the organization the confidence to handle whatever comes without impacting the mission. Knowing that you have a better than average chance of seeing events before they can do real damage, you can respond to mitigate the attack, forcing the attacker to work for whatever they get, and in the worst-case, you can reconstitute quickly and efficiently provide real confidence in your computing environments. It also provides the confidence to just say no to ransom demands. Paying a ransom only guarantees a positive outcome for the attacker, which just further incentivizes them to go after others. Spend that money elsewhere like better defenses, better warning, better responding or better recovery.
Mac McMillan is president and CEO of the Austin, Texas-based CynergisTek consulting firm.