Wannacrypt and what you might wanna do for HIGHTRUST and PCI environments
“WannaCrypt (a.k.a. WannaCry) is the name of a malware used in the May 2017 global ransomware attack targeting Microsoft Windows operating systems via known vulnerabilities leaked by The Shadow Brokers.
Through extensive research, it was found that the malware sends an HTTP request to a seemingly random domain name in the early stages of its execution. If the HTTP call fails, the malware encrypts the user’s files, requests ransom, and will spread to other vulnerable machines. If the HTTP call is successful, the malware exits, halting encrypting files and spreading itself.”
But the question remains, what do we do now. Well, it seems that by doing the basics of information security, a lot of the issues that we are seeing can be stoped dead in their tracks.
Healthcare Providers are under more and more scrutiny these days for their level of cyber protection. For healthcare, HIPAA rules the roost and more importantly HIPAA HIGHTRUST. The distinction between the two is that there is no certification with HIPPA, just a pat on the back. Where as with HIGHTRUST, there is a certification standard that needs to be met. If you look at retailers, PCI (Payment Card Industry) certification at all levels is under fire as well. PCI enables a retailer to process, store, or transmit credit card data.
Who is affected
Both HIGHTRUST and PCI go hand in hand with this event in that, both cyber security network certifications require re-certifications upon a major patch upgrade or release. Microsoft thought that this issue was sever enough that it issued a patch for all systems XP and up. Remember that XP support was discontinued by Microsoft, April 8, 2014. The main problem with this is that a great number of orginazitions have a formalized patch management notification and authorization system in place. But for those who don’t, they are taking the risk that IF they install the patch, will it render their main-line business systems, incompatible and therefore offline. Which is a major disruption to business.
When dealing with patch management, there are 2 risks that an organization needs to understand. 1) The risk applying the patch and 2)The risk of NOT applying the patch. Sure organizations can state that it is an accepted risk when not applying critical patches, but that decision usually bites them in the hindquarters down the road. That usually comes from the auditors of HIGHTRUST and PCI.
Having a savvy, semi-robust information security program in place is the best move for everyone. In today’s world, the threat of the next virus, worm, “bad actor”, is real and growing every day. Also is the fact that everyone and their mother believes that they can do Cyber Security. For a company to rest assured that they are making the right decision, choose an information security company that provides the best protection and understand their line of business.
Now onto the basics. Unfortunately, organizations get caught up with the day-to-day routine of what makes them the money, cause hey, money, is great! But, Don’t loose the ship to spite the leaks. Below I am outlining some takeaways that an organization can do for the “basics” of Information Security:
1) Passwords and Diapers have 1 thing in common. They are dirty and need to be changed often.
2)Limit internet access to mission critical machines. Have someone configure them correctly and for gods sake, dont’ use your neighbors kid (unless that kid is certified, let’s be honest here).
3)Don’t fear the auditor. They are there to ensure that you are playing by the rules.
4)DO NOT let unauthorized devices on your network. More often than not, viruses and other malcode, are brought from home because mommy and daddy let their kids play on the work laptop.
5)Know where your boundaries for data retention are. I.e. Are you storing information in the cloud or locally? Are you allowing people that have a need to know, ONLY, access the data?
6) Do you have the right amount of cyber insurance? As in, IF there is a breach of critical data, are you covered from a risk perspective?
NOTE: In no means is this a comprehensive list.
At the end of the day, organizations should be consulting Cybersecurity companies to ensure that their systems have been afforded a reasonable expectation of operational security. At Red Lion, we are working with healthcare organizations and cyber insurers to ensure our clients are safe from attacks.