HOW NOT TO MANAGE ENTERPRISE CYBERSECURITY

by Leif Swedlow 

A Critique of the Hollywood Presbyterian Ransomware Attack

I freely admit that in addition to being a lawyer, I am a computer geek, and have been for many years.   

Many months ago I "LOL'd" when I read that local police departments had been targeted by hackers and infected with a nasty new form of malware that encrypts data on the infected system's local and networked file storage, then seeks to extort a ransom - typically through carefully anonymous methods such as bitcoin transfers - for access to the cryptographic key that can "unlock" the hijacked data.  Though the ransoms were small, usually worth only a few hundred dollars, these small-town police departments that seemed to be getting targeted by this "ransomware" had become news stories both locally and in I.T. security circles, especially due to the irony that the police themselves had let cyber-criminals win.

Massachusetts police department pays $500 CryptoLocker ransom 

I inferred that these relatively small law enforcement offices had been left underfunded in the area of data security and I.T. resilience, or what some call "information assurance", but I also worried that their vulnerability and inability to respond could be due to being (a) oblivious to the threat that hackers pose, (b) unaware of the steps a likely target can take to protect itself, (c) lax about the importance of data integrity and disaster planning, or (d) all of the above.  The fact that one police department's backup was also crypto-locked suggested to me that they had not been using an appropriate backup media rotation system.  If they had, they should have been able to restore "clean" data from before the intrusion, whether that needed to be a few hours, a day, or two, three or more days back.  It also suggested that the backup system they had used was not itself a hacking-resistant, encrypted method. 

I presumed that these stories would remain limited to relatively "easy" targets such as small, under-resourced agencies with only minimal I.T. expertise.  Surely, I thought, ransomware crypto-attacks would be unlikely to succeed in larger, more robust enterprise computing environments.  Oh, was I wrong!

In mid-February I read with dismay a number of articles about a cybersecurity breach, in the form of a ransomware attack, had hit a California hospital.

Patients diverted to other hospitals after ransomware locks down key software 

I presumed that the professional I.T. employees and managers employed by this sophisticated, modern hospital, required to comply with a host of data privacy laws (e.g., HIPAA), and managing an environment full of highly networked medical imaging, recordkeeping and billing systems, would aggressively tackle the hospital's cybersecurity issue in a matter of hours and announce the full restoration of its "hijacked" data within about a day.  Oh, was I wrong again!

As hours turned into days, I presumed that if the hospital's I.T. department had failed to efficiently isolate the infected computer(s) and quickly re-mount important medical and business data from timely, secure, incremental backups, surely the hospital's leadership would be rapidly assisted by crack law enforcement cybercrime specialists.  Oh, was I wrong again!

Article: Just Pay the Ransom 

As days turned into weeks I was confident that the Hospital's executive leadership would find SOMEONE with the I.T. skills needed to isolate the carrier of the malicious software, quarantine it, and infuse the network and its various computers with restorative data from healthy backups.  Wrong again.

Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating   

As the tweeters say, O.M.G.

I know firsthand that the threat of ransomware is real for virtually any government agency, commercial network, or small business, because I was on the "cyberwarfare" front line the day, not long ago, when Andrews Davis became a target of a ransomware attack.  I say "target" and not "victim" for a reason: we did not pay, and we lost no data. 

No set of security measures can be assumed to be perfect.  Even though my firm uses state-of-the-art anti-spam, firewalls, virus detection and anti-malware, hackers are constant innovators.  The cyberattack at Andrews Davis arrived in much the same way it arrived at Hollywood Presbyterian: through an apparently personally relevant but actually spam email sent to a particular employee, who inadvertently opened this email's attachment without realizing it secretly contained a recently launched new version of the cryptolocker malware.  Hackers and computer geeks call this "spear phishing".  Once the malicious payload had been delivered, it started hunting for vulnerable files.  However, the design of our network itself prevented our most sensitive data from being compromised, because it is stored in encrypted data "silos" that cannot be accessed at all except by authorized users through the software specific to the use of that data. The cryptolocking ransomware could not even SEE our firm's primary document storehouse, billing files, HR or payroll data, etc.  Only archived copies of public court filings and other non-confidential documents were affected, but as soon as the first user reported that dozens (in fact, by the time of detection, it was thousands) of .pdf copies of public court filings were suddenly un-readable and apparently corrupted, the firm's intrusion response and disaster recovery process began.  The infected computer was identified and removed from the network and the infected, cryptolocked files were wiped and restored from off-site, secure backup images made less than 12 hours before the first moment of intrusion.  We were fully operational again with literally no data loss or productivity impact before the sun rose the next morning.

I credit my firm's ability to beat the cybercriminals "singlehandedly" to lessons we learned from our Meritas affiliate firms in Louisiana and Mississippi.  In the aftermath of Hurricane Katrina, those firms who had planned ahead for major natural disasters were able to get back to business quickly.  Similarly, getting "hacked" should not become a disaster.  The lesson learned from the Hollywood Presbyterian ransomware hack is that any enterprise that fails to be proactive and ready for cyberintrusions will eventually become a data security disaster.

For further reading on overall trends and figures about ransomware:

Ransomware: A Victim's Perspective

For more information on cybersecurity, please contact Leif Swedlow at 272-9241 or leswedlow@andrewsdavis.com.


Download Blog in PDF Format


No comments (Add your own)

Add a New Comment


code
 

Comment Guidelines: No HTML is allowed. Off-topic or inappropriate comments will be edited or deleted. Thanks.