Cybercrime (41)

Just because it’s an old hat doesn’t mean cyber-criminals give it up. Structured Query Language (SQL) the long-standing international standard for database manipulation, can still be part of a cyber-attack. SQL injection and Cross-Site Scripting (XSS) attacks enables cyber-attackers to inject client-side script, JavaScript, or Hypertext Markup Language HTML into web pages so other users can see them.

JavaScript’s an object-oriented programming language for creating interactive effects in web browsers. HTML’s a standardised system for tagging text files to achieve font, colour, graphic, and hyperlink effects on web pages.

SQL injections are common for Hypertext Preprocessor (PHP) applications, usually on Linux servers and with MySQL, and Active Server Page (ASP), Microsoft’s web server technology for creating dynamic, interactive sessions with users. Code Project has a post describes a small, sample code to deal with the vulnerabilities and combat these attacks. It’s available to download.

There’s more help, advice and a demonstration on a webcast from Alien Vault. It’s released it partly because it says SQL injection and Cross-Site Scripting (XSS) attacks affect millions of users and they need Security Information and Event Management (SIEM) solutions to find these vulnerabilities. SIEM collects and correlates data to identify patterns and raise alerts on cyber- attacks.

Watch this demo to learn more about how these attacks work and how AlienVault USM gives you the built-in intelligence you need to spot trouble quickly.

  1. How these attacks work and what you can do to protect your network
  2. What data you need to collect to identify the warning signs of an attack
  3. How to identify impacted assets so you can quickly limit the damage
  4. How Unified Security Management (USM) can simplify detection with built-in correlation rules and threat intelligence.

Both sources offer Africa’s eHealth projects a start. It also needs to be part of comprehensive cyber-security strategies.

  

As a criminal business, ransomware’s big. It’s set to be bigger. Jack Danahy, a Barkly co-founder, writing in Barkly’s blog says cyber-attackers will use three new methods in 2017.

  1. An extra threat of doxxing, public disclosure of private records, either a file at a time or as a catastrophic dump to increase the chances of victims paying the ransom
  2. Ransomware infections will spread more quickly and easily
  3. Fileless ransomware will increase rapidly.

A Barkly survey reports only 5% of US organisations say they paid ransoms. Better back-ups and easier data recovery have reduced ransom attack’s effectiveness. Cyber-criminals are shifting their attacks to businesses instead of consumers to demand more. It means they’re increasing the potential damage and disruption of not paying. Other countries are seen as softer targets too. It’s a warning for Africa’s eHealth and healthcare.

Ransomware attacks will also increasingly bypasses scanners and signature-based anti-virus security. It raises the chances of infection for less sophisticated organisations. These’ll add to the more common technique of phishing emails with malicious attachments. Fileless attacks aren’t easy to identify using conventional endpoint security tools.

The lessons for Africa’s eHealth are stark. Two main themes are:

  1. Stepping up basic cyber-security measures rapidly, and not just to deal with ransomware
  2. Adopt more sophisticated cyber-security to deal with emerging new threats, especially ransomware threats.

Health systems will need investment in new cyber-security skills and solutions. They’ll need new eHealth strategies too.

The nature of cyber-crime’s changing. Health systems are no longer safe. Cyber-criminals have moved on from stealing personal data to using more disruptive tactics. An article in Healthcare IT News says healthcare’s seen the largest jump in ransomware attacks, so more than other organisation.

Joel Brenner, a Massachusetts Institute of Technology (MIT) research fellow who focuses on cyber-security, privacy and intelligence policy explained “We’re facing industrial espionage on an industrial scale.  If espionage is not the oldest business in the world, it’s the second oldest.”

While he admits healthcare may not top the list in terms of incidents or breaches, it’s ahead on four unwanted scores:

  1. Highest percentage of incidents
  2. Highest number of incidents by stolen assets
  3. Loses more information
  4. Very high ratio of incidents to breaches.

These combine into an uncomfortably high success rate for the number of cyber-attacks succeeding more often than not.

Tangible actions organisations can take to reduce vulnerabilities include privilege misuse and BYOD, which Brenner caustically calls ‘Bring Your Own Disaster.’ Also recognize that not everyone needs access to everything. “It’s about training your people repeatedly,” Brenner said. “You don’t need a big plan, no one opens that manual in times of crisis. You need a simple checklist.”

Unbroken cyber-security’s essential too. Unfortunately, most organisations can’t afford it and don’t trust a vendor enough to tackle the problem. Information silos offer an equally pressing challenge. Brenner says high-level executives are part of the problem and the solution. “Unless someone high level in these siloes comes in with a baseball bat,” Brenner said, “it’s not going to be solved.” 

Africa’s health systems can learn from the US’s experience. Putting in place an easy check lists for cyber-security measures and continuously training staff may be two simple steps, but they go a long way in keeping eHealth secure. They’re essential components of cyber-strategies, so why wait until the strategies and plans are in place. Checklists and training can be set up now.

Many healthcare organisations are inexperienced and under-resourced in coping with ransomware attacks. A guide from KnowBe4, Ransomware Hostage Rescue Manual, sets out technical descriptions of the actions to responding to and recovering from an attack. It also details preventative measures needed. Africa’s health systems, eHealth governance teams and technical eHealth teams should use it as a core reference before their organisations are attacked.

It’s themes include:

  1. A description of ransomware and Bitcoins, the ransomware currency and The Onion Router (TOR), a network and browser that enhances and anonymises Internet traffic
  2. How to identify an infection from symptoms and  Infection Vectors of emails, drive-by downloads free software downloads to avoid
  3. How to respond to an infection
  • Disconnect
  • Determine the scope
  • Identify the ransomware strain
  • Evaluate response option of restore, decrypt or do nothing
  1. Negotiate or  pay the ransom
  • First, restore from backup or shadow volume
  • Second, try decryption
  • Third, do nothing and lose the files
  • Fourth, negotiate or pay the ransom
  • Fifth, review the ransomware attack response checklist
  1. Learn and protect from future attacks with improved:
  • Defence in depth
  • Security awareness training
  • Simulated attacks
  • Antivirus, antispam and firewalls
  • Backups
  1. Implement better cyber-security resources, including a ransomware attack response checklist and a ransomware prevention checklist.

Applying the guide needs someone with ICT skills. It’s appropriate for someone in each of Africa’s health systems’ ICT teams to take responsibility. They should be accountable to an executive, who in turn should report on progress, risks and actions to eHealth governance teams. Where these are already in place, the Ransomware Hostage Rescue Manual offers an opportunity for a comprehensive review of the effectiveness of the arrangements.

As cybercrime expands and eHealth becomes more affected and infected, India’s planning legislation for comprehensive civil and criminal remedies for eHealth data breaches. It’ll also set up an enforcement agency. Provisions are being drafted to deal with any breach of patients’ data.

A report in the Times of India says the legislation will include a comprehensive legal framework to protect individual’s eHealth data, ownership of eHealth data, and health data standardisation for data collection, storage and exchange. African countries could benefit by monitoring India’s initiative as a comparator for their own eHealth legislation and regulation.

Much of Africa’s eHealth in its infancy, so most African countries don’t have specific eHealth regulations. In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified a 45% gap in Africa’s eHealth regulation compared to developed countries. Not much has changed since then. eHNA reported previously on Africa’s eHealth regulatory perspectives. Much more remains to be done, but it must not stifle innovation.

It’s not only the frequency of cyber-attacks in Kenya. It’s the size and sophistication of these assaults that has government and businesses on edge. The recent hacking of Kenya’s Government in November 2016 has highlighted the increasing attacks in the country and spotlighted the vulnerabilities and losses to government and online businesses. An article in Arbor Networks says the losses, a staggering US$146m a year.

It has attributed to the major increase in connected devices. “Kenya and its surrounding countries has continuously attracted nefarious activities by cyber criminals, and the proliferation in distributed denial-of-service (DDoS) attacks in the region is today as much a reality as it is globally,” says Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks. the world’s leading provider of DDoS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research rates it as the world’s leading provider of DDoS protection in enterprise, carrier and mobile markets.

Paul Roy Owino, president of Information Technology, Security and Assurance (ISACA), says Kenya has recorded up to 3,000 cyber-related crimes a month. They include banking fraud, money transfer using M-pesa and interference with personal data.

Mark Campbell, consulting engineer for sub-Saharan Africa, highlights another security risk. Many IoT devices run on Open Source (OS) operating systems, mainly because it’s cheaper to develop, so more affordable and with a shorter time frame from development to use. “However, the result is that the code is poorly written with numerous security vulnerabilities. Of course the majority of users do not have the time, patience or expertise to test these for vulnerabilities, making many IoT devices, including our home appliances, a threat actors’ dream” says Campbell.

Although government sites are generally not built solely for commerce, Hamman warns that often when cyber-criminals take sites offline they often do it as a smokescreen for more devious behaviour. He says “Whilst site owners are distracted by their website being down, cyber criminals use this shift in focus to create a more threatening and targeted DDoS attack on the company or institution with the purpose of infiltrating the network and holding the victims to ransom for money or political motivations, or to steal valuable data and intelligence, such as flight plans for private or military planes, amongst others.”

Hamman warns that:

  1. Security is a multi-layered problem and continuous process
  2. A one size fits all security solution doesn’t exists
  3. Preparation is key
  4. When under attack, every second counts
  5. Organisations need people, policies and processes in place so actionable intelligence and a practiced workflow to investigate a breach are kicked off immediately
  6. Organisations need pervasive visibility across its fixed, mobile and cloud network feeding into a threat management solution
  7. Never assume that a single breach or compromise was it, so it’s over, because a DDoS attack is almost always part of a wider cyber-crime strategy, so the right tools must be in place to understand the breadth and scope of breach.

Cyber-security has  become a major requirement for successful eHealth. With complex attacks on the rise, it’s more important than ever for healthcare organisations to have policies and strategies in place to protect their data and specify what they must do in response to a breach.

Firewalls and high fences aren’t sufficient to stop phishing attacks. Imprivata, an ICT security firm, says only 33% of organisations feel fully prepared to defend against phishing, but now there’s whaling and spear phishing too, aiming at precise targets with maliciously disguised techniques. Its report Avoid becoming the catch of the day: Four steps to combat phishing attacks, says preventing phishing depends on users’ abilities to deal with the difference between legitimate and illegitimate information requests, but it’s becoming harder to do. Imprivata proposes:

  1. Asses internal vulnerabilities
  2. Take away the keys
  3. Improve the lock
  4. Increase end-user education.

Assess risks of internal vulnerabilities needs CIOs and cyber-security teams to:

  1. Identify the most likely forms of attack, such as key employee behaviours
  2. Identify contributing factors and workflow needs that cause clinical and administrative staff to favour risky behaviours using techniques such as internal penetration testing
  3. Understand why these vulnerabilities exist
  4. Eliminate vulnerabilities’ root causes by managing risky employee behaviours through technology, policy, and social means.

Taking away the keys starts with improving passwords, hackers’ keys that can be easily stolen by preying on human nature. Single Sign On (SSO) can eliminate access to most keys by replacing manual password entry with automated authentication, such as a proximity badge. It can eliminate the need for manually entered passwords and time-consuming logins.

Improving the lock’s need where passwords are still needed, such as access to remote networks access, such as Virtual Private Networks that need a username and password. These are locations for vulnerabilities. Two-factor authentication technologies can help to protect them, such as using an eToken that can’t be used by hackers, then a username and password

Easing user education should include information that users can apply promptly. Examples are:

  1. Never enter usernames and passwords their apps on the premises because the ICT is already enabled
  2. If they’re prompted for passwords, something’s wrong and needs red-flagging for the ICT and cyber-security teams.
  3. Configuring systems so users can’t enter their passwords manually.

As cyber-criminals turn to Africa’s eHealth, health systems can consider these as part of their defences. It costs, but so does a successful phishing attack.

Cyber-crime in the health care sector is growing. Latest reports show that the healthcare has the highest occurrence of cyber-security mishaps of all industries. It’s bottom of the league table for its ability to fix software vulnerabilities. But there may be a very small silver lining. Healthcare records are not as valuable as banking details to cyber-criminals.

An article in ITONLINE says the price per record for stolen patient medical records remains lower than financial account records and retail payment account information. This is a finding from Intel Security’s McAfee Labs Health Warning which:

  1. Assesses the marketplace for stolen medical records
  2. Compares it with the marketplace for stolen financial services data
  3. Identifies healthcare cyber-crime trends
  4. Profiles cyber-crime targeting intellectual property in the pharmaceutical and biotechnology industries.

The Intel Security research asserts that the development of the market for stolen data and related hacking skills indicate that cyber-crime in healthcare is growing.

“In an industry in which the personal is paramount, the loss of trust could be catastrophic to its progress and prospects for success,” says Raj Samani, Intel Security’s chief technology officer for Europe, the Middle East, and Africa. “Given the growing threat to the industry, breach costs ought to be evaluated in the Second Economy terms of time, money, and trust, where lost trust can inflict as much damage upon individuals and organisations as lost funds.”

In recent years, the cyber-criminal community has extended its data theft efforts beyond financial account data to medical records. Although credit and debit card numbers can be canceled and replaced quickly, protected health information (PHI) which doesn’t change. PHI could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories.

This dynamic has led to industry speculation that the price per medical record could soon rise or even eclipse that of financial account or payment card data, but Intel Security’s 2016 research doesn’t support this theory. It found the average health record price was greater than that of basic personally identifiable information, but still less than personal financial account data. The per-record value of financial account data ranged from $14 to $25 per record, credit and debit cards drew around $4 to $5. Medical account data earned between $0.03 to $2.42.

The findings suggest that financial account data continues to be easier to realise than personal medical data. Stealing medical records may enable cyber-criminals to analyse it, and cross-reference it with other data to identify lucrative fraud, theft, extortion, or blackmail opportunities. Financial data still presents a faster, more attractive return-on-investment for cyber-criminals.

Healthcare records may not currently be as valuable as banking details to cyber criminals, but this may change. Healthcare organisations need to be more vigilant than ever to ensure the security of their systems and their patients’ data. Training and educating staff is an essential component to keeping healthcare data safe and should not be part of each healthcare orginisations’ cyber-security policies.

Suddenly, a deluge of internal calls to the ICT help service had users clamouring for their files to be restored. The ICT team of three, including a new starter on the day of the cyber-attack, couldn’t cope with the volume or the problem. The story unfolds in a blog from Barkly.

A call for help to the ICT consultant used for backups hadn’t been keeping them up to date. The team placed another call to its ICT supplier. In the meantime, a secondary server stopped and wouldn’t restart. Dozens of folders with important data, located on shared drives didn’t have duplicates located separately.

Then, the new starter had opened an email from a company never used saying it had a shipping invoice, but couldn’t remember if she had opened the attached .zip file. Ooops.

Five weeks were dominated by servers, networks, backup research, data recreation and disaster communications. All the other projects were on hold until the server was replaced with and installed, databases were upgraded, fixing software that wasn’t compatible with the newer operating system, rebuilding the network from scratch, but with better group policies and permissions, and suggesting a more secure infrastructure and backup environment to minimise risks and future costs, a battle only partially won.

The result was being more secure than before the attack. This was not enough. Systems weren’t as secure and recoverable as they could’ve been. Four lessons emerged from the harrowing episode:

  1. Some scary things are real
  2. Always try to fix broken systems without delay straight away, even if someone else broke them before you inherited them
  3. The pain of forking over some time and cash to set things up right is nothing compared to scrambling to recover from a disaster
  4. Use multi-layered security and backups.

Cyber-security was identified as an important issue at Acfee’s African Economic Forum in September. It’s assembling white papers reports and stories like this to provide Africa’s eHealth leaders with access to advice on cyber-security so they can take action before waiting until there’s a breach.

Africa’s eHealth needs more cyber-security initiatives to prepare to respond better to future onslaughts. Three measures are identified in FierceHealthcare. They’re:

  1. More sharing about breaches
  2. Standardise as many platforms as possible to increase the transferability, so value, of shared cyber-threat experiences
  3. Classify and report all ransomware attacks as cyber-security breaches.

These are some of the views of Jeffrey Vinson, chief information security officer at the USA’s Harris Health System. In his interview with HealthcareInfoSecurity.com, he goes on to say that platforms are also not yet mature, so healthcare organisations can’t find enough reliable, realistic, actionable intelligence from the information coming to them. They also face resource challenges in digesting the information and taking effective action.

These views are drawn from a Harris Health System project financed by a Department of Health and Human Services grant to study the healthcare cybersecurity landscape. It’s now in its second phase of polling organisations about capacity planning.

While ransomware’s on the increase, and now one of the biggest threats, Vinson says there’s not much guidance on what organisations need to do I the event of an attack. This highlights a challenge for Africa’s health systems too. This may be rectified when the Office of the National Coordinator for Health IT selects one organisation to take a lead role in cyber-threat information sharing. This could be a model for Africa’s health systems.