The first known instance of what we now know as ransomware was seen in 1989. This first attempt was a poorly executed endeavor to extort $189 from the victims, but it was quickly discovered that recovering the files did not require the "tool" offered. The world and concept of ransomware remained relatively quiet for many years until two researchers Adam L. Young and Moti Yung wrote an academic treatise on the subject in 1996. In their paper and research, they demonstrated the fatal flaw in the first ransomware. The issue was using symmetric encryption which meant the encryption key was in the code of the first Trojan, so extraction of the data with the proper key was possible.
IT and InfoSec professionals have been playing catch up with users since the beginning of time (as long as you consider the first computer the beginning of time like I do). This is at least partially caused by an all-encompassing misunderstanding that has been rarely noticed at best and certainly never been remediated.
There is no shortage of professionals and experts talking about security, but if you want to understand security, or even just IT in general, you have to understand human beings. The users and those that administer the systems are all people. If one strives to understand and impact security overall, they must fully understand the human condition.
In the United States, we got lucky, very lucky, that a malware researcher known only as @MalwareTechBlog on Twitter found the “kill switch” domain in the code of the WannaCry ransomware. Had he not found and purchased this domain, effectively neutering the ransomware, I believe that the incident could have been much worse. It was already quite bad around the world with estimates of over 200,000 systems infected including many healthcare providers in the United Kingdom.
Recently, incidents involving the internet of things (IoT) have had no shortage of media coverage. In fact, I would suggest that the IoT has become one of the top buzzwords in IT right now. Large, more mature organizations have started to realize the growing attack surface that IoT is creating for the enterprise they manage, but whether large or small organizations are feeling the pressure to allow IoT on their networks even though in many cases they are not equipped to deal with it effectively. In healthcare, this is particularly troubling as IoT attacks generally cause some form of disruption which can affect both operations and patient safety.
In your midst is a shadowy network of illicit devices poisoning the carefully controlled ecosystem you and your networking operations team have painstakingly built. Years of toiling with management to fund new initiatives, educating users to act securely, managing policies and procedures with careful and diligent precision are at risk of being rendered useless.
The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), published an advisory in the March issue of its “Cybersecurity Newsletter” warning of a well-known attack method known as the man-in-the-middle (MitM) attack. This type of attack is used by attackers to, exactly as it sounds, become a man in the middle of a secure connection. So, while the victim thinks they are connecting to their destination website (e.g. bank, social media, email, etc), the attacker is taking over the connection and can see any data “in the clear” before it is forwarded on to the actual destination.
While researching future blog post topics, I discovered that many people are searching on Google in the hopes of better understanding the benefits of having a penetration test done. This is a great question, and it is especially important to understand the answer even if your organization is not governed by regulatory or compliance requirements to have a penetration test done. There are plenty of reasons to conduct a pen test, or red team assessment, on your organization’s technical environment.
If you are reading this blog post, you have survived 2016. By most accounts, it was a rough year in regards to the state of security in healthcare. Cyber attacks have been no exception to this calculation. We saw the announcements of some of the biggest breaches in history, the continued proliferation of ransomware, and even the recent reports that Russia was meddling in U.S. politics through attacks on IT security.
There are many important aspects to consider in any given penetration test. I have talked at length in other blog posts about many of these considerations. There is one important aspect I have not written much about. It is critically important to determine the amount of foreknowledge that the tester should get. This aspect has a plethora of names but is almost always referred to with the “box” descriptor. In college, I was taught white box, gray box, and black box as the three levels of disclosure related to a penetration test. Many, including CynergisTek, use the term “crystal” in place of “white”. Really, the names are just descriptors – the concept remains the same and that is what’s most crucial.