SecureWorks - On the Radar Newsletter - 0110
Attacks Against Healthcare Organizations Double Chinese hacker Attack: Sophisticated Twist Featured Gartner Research: Predicts 2010 SecurePoll

Eight Steps to Help Healthcare Security Managers Protect PHI and PII, and Demonstrate HIPAA Compliance

Recently, SecureWorks’ Counter Threat Unit^SM (CTU) threat intelligence researchers reported that attempted hacker attacks launched against healthcare clients nearly doubled during the last quarter of 2009. Attempted attacks rose from an average of 6,587 per healthcare client, per day during the first nine months of 2009 to an average of 13,379 attacks per client, per day in the last three months of 2009.

In September 2009, at the same time as CTU threat researchers saw a significant uptick in healthcare attacks, new Health Insurance Portability and Accountability Act (HIPAA) compliance and data breach notification rules went into effect, extending HIPAA privacy, security and breach reporting requirements not only to healthcare providers, insurers and healthcare clearinghouses, but also to business associates such as third-party administrators, claims processors, attorneys, accountants and software providers that handle Personal Health Information (PHI). Enforcement of data breach notification rules is scheduled to go into effect next month, February 17, 2010. Many healthcare affiliates are unprepared for data breaches.

Healthcare organizations and their business associates are very alluring targets for cyber criminals. They store large databases of records -- veritable treasure troves of sensitive data such as Social Security numbers, insurance and financial account data, birth dates, billing addresses and other data that is highly desired by cyber criminals. They also provide a myriad of gateways to PHI, from external networks to Web applications, to connect and share information with patients, employees, insurers and business partners. Such a large attack surface provides many opportunities for cybercriminals to exploit security holes, plant malware and seize sensitive data.

It has been reported that in the last seven years in the U.S., more than 9,666 cases, an average of 1,200 cases a year, required enforcement or corrective action regarding HIPAA privacy and security violations of PHI. In 2009, nearly 80 million records were compromised by just 46 breaches, according to PrivacyRights.org reports.

An October 2009 survey reported that 80 percent of healthcare IT practitioners said their organizations had one or more data breaches that involved the loss of patient health information, and the majority of these survey respondents believed there was inadequate protection of patients’ sensitive or confidential information. Healthcare and product spam continue to account for the majority of all spam worldwide, spawning potential malware attacks. With the move to digitization of health information and adoption of electronic health records, more attempted data theft and breaches are inevitable.

Eight Steps to Effective PHI & PII Protection

Here are eight steps to help healthcare security managers put more substance behind security programs, shield sensitive information with multiple layers of protection against both known and emerging threats, and demonstrate adherence to HIPAA.

1. Perform PHI and personally identifiable information (PII) security health checks with regular security risk assessments. Know where all PHI and PII are stored and transmitted so you have a clear view and assessment of your level of security risk at all times. Show due diligence and commitment to compliance standards by comparing controls currently in place with regulatory requirements to identify and close any gaps. Apply risk assessment findings to your security program and processes.
2. Recognize and prevent known and emerging cyber threats in real time, before they compromise your network, with Intrusion Detection and Intrusion Prevention Systems (IDS/IPS). Implement an effective IDS/IPS that provides sophisticated analysis and blocking techniques, including signature deployment, anomaly detection, protocol recognition, behavior-based heuristics and human analysis of patterns. Ensure your IDS/IPS monitors your networks and applies continuous signature updates vigilantly, 24x7. Inspect all traffic at the packet level, proactively filtering out malicious packets automatically while legitimate traffic flows uninterrupted. Assess your IDS/IPS deployment strategy to ensure effective threat management across all traffic stream directions, both internal and external.
3. Prevent data leakage with a content filtering solution that monitors your network for inbound and outbound PII/PHI information traversing across email and Web gateways.
4. Employ vigilant log monitoring that meets and exceeds regulatory and compliance reporting. Identify and respond to improper access to sensitive data and critical assets with log monitoring that collects and analyzes system, device and application audit logs across your infrastructure, in real time, 24x7. Carefully analyze alerts and logs, 24x7, to identify and thwart both insider threats such as unauthorized use or access to patient data and external threats such as Zero-Day activity exploits.
5. Audit your Web applications and their corresponding back-end databases to identify and remediate flaws that could be exploited by attackers. Conduct comprehensive Web application scanning that finds and audits all Web application functions, including browser and server-side components. Scan your website to identify potentially sensitive HTML content, such as Social Security numbers and credit card data, and protect against attackers and accidental disclosure.
6. Deploy and monitor Web application firewalls to protect online applications from SQLi, cross-site scripting, session hijacking and Web 2.0 vulnerabilities. Perform extensive analysis of application traffic and tightly configure Web application firewall policies and rules. Continuously review Web application firewall performance and fine-tune firewalls for optimum protection.
7. Protect sensitive data stored on portable and mobile devices from improper disclosure with strong encryption policies and technologies that encrypt electronically transmitted and stored PHI and PII.
8. Demonstrate due diligence and ongoing oversight of third-party security and compliance risks with an automated risk management system that performs automatic, rules-based analysis of suppliers, partners, affiliates and service providers that handle PHI and PII. Highlight non-compliant business associates and identify specific issues that need to be resolved.

Learn more about SecureWorks’ HIPAA compliance solutions.

Sophisticated Twist Using Familiar Techniques

As far back as 2004, information security experts identified Chinese digital espionage attacks and prowess in stealing information from U.S. executives and corporate executives as well as human rights groups and think tanks. In the recent alleged Chinese hacker attack involving Google, Chinese cyber thieves appear to be taking advantage of interconnected, porous networks by employing a sophisticated twist on familiar malware techniques.

Experts have noted a new level of sophistication in the recent attack which employed techniques to exploit multiple flaws and vulnerabilities against multiple victims, all in the same attack campaign. In the past, most attacks have relied on a limited set of methods. The level of planning and coordination required to support the diverse methods used in the recent attack has drawn the attention of security researchers.

Typical of attacks security professionals have seen for many years, the recent attacks appear to have used a familiar “spear phishing” technique targeting recipients with infected email attachments. These emails embrace social engineering, referencing particular research an organization is conducting, sending out timely news stories and using an email address of trust or authority that appears to be coming from inside the organization.

The email contains a malicious link or an attachment possibly disguised as a photo or PDF file which contains a “sleeper program.” When the recipient unsuspectingly opens it and clicks on a malicious link or downloads the attachment, the malicious code takes advantage of both known and Zero-Day vulnerabilities depending on the target. In addition, the malware allows the attacker to remotely control the compromised PC, providing access to emails and important documents, and even allowing the attacker to switch on webcams and microphones.

When the recipient’s computer is exploited, the hacker implants a backdoor onto the computer. Many of the common  backdoor Trojans used by Chinese hackers include Ghost, Grey Pigeon, Hupigon, Poison Ivy and PcClient. Once on the system, they can rifle through the files to find valuable information. Depending on how secure a corporate network is, these hackers can possibly get access to other sections of your corporate network and back-end servers.

What the Chinese Hackers Are Stealing

What Chinese hackers have been stealing is unconfirmed, but it is claimed that one of the huge drivers of Chinese economic growth during the last several decades has been the forced technology transfer from America to China.

Most of the Chinese-created backdoor trojans utilize custom, desktop, GUI-based command-and-control systems.  It is rare to find anything resembling controller command files or bot logs, as sometimes found with Russian or Eastern European botnets that tend to use console-based control code which can be hosted on third-party servers.

Consequently, it takes a lot of expertise and effort to see exactly what the Chinese hackers are doing with their bots once they log in and begin to run commands. There are some accounts in the press, however, about stolen intellectual property from U.S. companies being used by Chinese manufacturers.

Operation Aurora – The Latest in a Series of Chinese Espionage Attacks

Aurora is the latest in a series of Chinese espionage attacks.  Previous attacks have been known as "GhostNet" and "Titan Rain." Aurora takes its name directly from the hackers this time: the name was coined after virus analysts found unique strings in some of the malware involved in the attack. These strings are debug symbol file paths in source code that has apparently been custom-written for these attacks. The paths were left behind in the compiled binaries.

It appears that development of Aurora has been in the works for quite some time. Some of the custom modules in the Aurora codebase have compiler timestamps dating back to May 2006. This date is only a year or so after the Titan Rain attacks, which largely used widely-available trojans that were already known to antivirus companies. As a result of using completely original code and then only in highly-targeted attacks, the Aurora code seems to have escaped detection for quite some time.

Learn more about the code behind the latest Chinese attacks.

Featured Gartner Research:
Predicts 2010: Infrastructure Protection Is Still Not 'OneSize Fits All'

Every year, Gartner's analysts offer their predictions on what they see as the key issues facing the market spaces they cover. The infrastructure protection research community's predictions for 2010 and beyond address key trends in the changing threat and vulnerability environment, Gartner clients' evolving requirements, and technology providers' responses to those changes. Among the trends we [Gartner] have identified in this research document are significant changes in delivery models — including much greater availability and acceptance of cloud-computing-based security — that present customers with both greater choice and more complexity.

In the critical area of infrastructure protection — which Gartner refers to colloquially as "keeping the bad guys out" — we [Gartner] have identified three important trends and clarified and refined our thinking about how those trends will develop in the coming years, how technology product and service providers will respond, and what actions enterprises should take to deal with them. Security professionals and other infrastructure protection stakeholders should use Gartner's predictions in making planning and investment decisions, recognizing that few enterprisewide or "one size fits all" offerings have yet to take hold in the market.

We're sorry, but this report is no longer available for download.

SecurePoll

How likely are you to move sensitive applications to a cloud computing environment?

To vote, simply fill out the right-column sidebar on this page. We thank you for your participation!