Phil Curran, CISO & CPO, Cooper University Hospital
Ransomware is making all of the headlines. I certainly do not want to downplay the disastrous effects of ransomware, but I wonder if we are placing our emphasis on the wrong area. Ransomware is loud and pretty hard to miss, but what about those low and slow attacks that are silent and deadly. Are we ready for them? All the ransomware we have seen in the past few months, and even in the past for years, has all started through a phishing attack. One area we can certainly concentrate on is the education of our employees to identify a phishing email and the steps they should take when they identify those types of emails. Our employees are often the first vector an attacker uses to gain access to our information. When we educate our employees, we are taking a huge step forward in the mitigation of that attack vector. We all know that an email education campaign is not very effective. I suggest working with your marketing department in coming up with a campaign that is directed toward your employees. The marketing department is much more cognizant of how to reach employees through various media types. If you don’t have a marketing department, you can reach out to your peers or SANS Secure The Human free or low-cost ideas.
“An effective education campaign is also centered on how employee actions, or inactions, affect them on a personal basis.”
An effective education campaign is also centered on how employee actions, or inactions, affect them on a personal basis. When we make education personal, the training seems to stick better. For example, since I work in a hospital, I would focus my campaign on how the ransomware would make their job that much harder by removing their ability to access the electronic health record (EHR). They could no longer rely on the EHR to automatically document things like a patient’s temperature or blood pressure. They would have to physically go to the patient’s room, take those readings and document the readings on paper. When they had the ability to access to EHR, they would have to input that information into the EHR. I would also focus on the impact on patient safety and patient care.
Another tactic in your employee education would be to hold phishing exercises. I do not think an annual phishing test is effective so I would recommend quarterly or semiannual phishing tests. There are many vendors that you could use for these types of tests or you could develop an in-house fishing test. However you conduct these types of exercises or no matter how often you conduct the exercises, when an employee clicks on the link or opens the attachment, they should be sent to an education site where they would receive immediate education on the proper steps they should have taken with these types of emails. You should also collect their names so that as you continue these tests, you can determine if an employee or employees continue to fall for the phishing attack so that you may conduct personal education with them.
We all know that education is not foolproof--there will always be one person who will be fooled by the phishing attack and either click on the link or open the attachment; therefore, we can take technical steps to mitigate the effects of ransomware. Below is a list of steps that you can take to mitigate the effects of malware.
• Patch your systems • Keep your anti-malware program current • Create an alert, if you can, when malware cannot be quarantined • Backup your data off-site, if possible • Keep your firewall and spam filters updated •Monitor threat intelligence and social media • Create an email anti-spoofing rule
I am not saying that this list is exhaustive, but it can be a good first step into mitigating malware.
Finally, I would either continue to update your information security incident response plan or create an information security incident response plan. Having this plan in place prior to any type of incident will allow you to more effectively respond to an incident. I would also suggest that you test these plans on at least an annual basis with all of the parties that are part of your plan, e.g., Legal, HR, IT, Compliance, etc. so that they know their roles and responsibilities when an incident occurs. I believe we have all heard the adage, “It’s not a matter of if, it’s a matter of when.” Having this incident response plan ready and available will help you with the when.
While no one tactic will ever prevent a malware attack in your organization, a combination of education, technical steps and a response plan will certainly mitigate the harmful effects of malware.