With targeted malware attacks posing greater threats to health care institutions, the director of CDPH, Dr. Mark Horton, said ensuring the privacy of patient data is a critical component to the medical industry.

“Medical privacy is a fundamental right and a critical component of quality medical care in California. We are very concerned with violations of patient confidentiality and their potential harm to the residents of California.”

While Federal regulations such as HIPAA have prompted health care organizations to take measures to better protect digital patient records, stopping highly targeted cyber attacks continue to be one of the industry’s top challenges.

With cyber criminals focused on stealing valuable patient information, health care organizations need to go beyond meeting a set of guidelines if they are going to successfully stop more sophisticated malware attacks. They have to take a serious look at how they are currently defending their networks and implement endpoint security solutions that can effectively stop these threats.

With many health care institutions still relying on traditional antivirus to protect their enterprises and multi-user workstations from more targeted attacks, it’s simply not enough. Blacklisting solutions have become ineffective in stopping new forms of malware popping up every day. Instead of relying on reactive methods, health care professionals need to consider more proactive approaches such as application whitelisting, which has been proven to protect private networks from attacks specifically intended to access their enterprise.

While stiff penalties for violating Federal regulations provide clear incentives for health care organizations to take steps to meet the required guidelines, they are nothing compared to the potential long-term impact — which include the loss of patient trust and damage to a health care institution’s reputation — should their patients’ information or data ever be compromised.

New exploit resists Windows security

After months of dealing with malfunctioned security updates, Microsoft users once again found themselves vulnerable to a new tactic that bypasses the security protection of most antivirus software, leaving common Windows security software open to more attacks. The recently published technique could exploit the kernel driver hooks that most security software use to reroute Windows system calls through software to check for potential malicious code before it’s able to execute.

And the bugs keep coming for other technology leaders. After McAfee’s faulty security update led to thousands of Windows PC failures in April, Mozilla Firefox Web browser had to immediately deal with a major flaw in its Firefox 3.6.2 release. The security problem, which could potentially allow remote attackers to run commands of their choice, was addressed a week later with the release of Firefox 3.6.3.

Modern hack attacks developing a laser focus

At Symantec’s annual user conference, the company’s leading technologists said there’s been a shift in the intent of cyber-attacks on both business and government entities. Hacking attempts have progressed from being mass attacks looking to wreak havoc and steal as much data as they could, to highly targeted attacks looking for specific data from a specific organization. The challenge is how to increase visibility into all of the network and supporting activities, and at the same time, reduce the time from breach detection to mitigation, with the emphasis being on risk management and mitigation.

A prime example of these targeted attacks occurred when the U.S. Department of Treasury revealed three Web domains associated with the U.S Bureau of Engraving and Printing had been hacked to attack visitors with malicious software. The hackers targeted a handful of known bugs to redirect site visitors to a Web site in the Ukraine, which had been previously associated with similar attacks. Despite knowledge of the attacks, the sites continued to actively serve malicious software until the domains were cleaned up.

National strategy is light on cybersecurity details

Despite President Obama’s declaration to make cybersecurity a top priority last year, the U.S. government has made little progress toward securing our nation’s digital infrastructure from cyber-attacks, criminal cyber-espionage and theft. While the National Security Strategy the White House released last week emphasized the importance of government, industry and international partners working together to establish standards for combating cyber threats, James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, said the plan for defending cyberspace lacks substance.

“It says partnership, people, research, but it could have just as well said faith, hope and charity. [I see] nothing new in this, and no path forward.”

While many are encouraged that the administration has acknowledged the need to pursue new strategies to protect networks from cyber attacks, it’s not enough. The government needs to take a leadership role in laying a roadmap to address cybersecurity, then take action if we are going to make progress toward building a safer digital infrastructure.

DoD mulls protecting key private IT systems

The Pentagon raised the possibility of the Defense Department becoming engaged in safeguarding nationally critical IT systems run by business. Defense Deputy Secretary William Lynn III said the DoD is considering using the Einstein 2 intrusion detection and Einstein 3 intrusion prevention systems developed by the Department of Homeland Security to help secure critical systems such as finance and utility operated by the private sector. By creating a secure architecture that lets private parties opt-in to the protections afforded by active defenses, this could offer an important gateway to ensuring our nation’s critical infrastructure is protected from cyber attacks.

But for now, Homeland Security is hesitant to endorse such a program. In an email message, a DHS official said:

“DHS and DoD are working together to secure our respective portions of government networks, and we are relying on private sector and government technical expertise to address those requirements. We expect that experience will provide valuable lessons on ways in which critical infrastructure can be protected.”

In the meantime, to reduce the time to deploy IT security systems and increase the use of sophisticated technology tools to defend its own systems, Lynn said the DoD must rely on incremental development and testing, and make use of established standards and open modular platforms.

As always, thanks for reading this blog. Please feel free to provide any comments or feedback on these industry-related topics.

1. Users are twice as likely to get infected by a malware ad on a weekend
2. The average lifetime of a malvertisement is 7.3 days
3. 97% of Fortune 500 websites are at a high risk due to their external partners (JavaScript widget providers, packaged software providers etc.)
4. 69% of Fortune 500 companies use external JavaScript to render portions of their sites
5. 64% of Fortune 500 companies are running outdated web applications

This study drives home the point that everybody is exposed. Whether it’s a consumer hitting an ad on a website that’s got malware or an attack targeting the person running the grid, the fact is as long as there’s a human being in the loop malware is going to get deposited.

What I find interesting is that malvertisments targeting consumers take the same payload-type approaches as APTs that are specifically designed to go after the top government or corporate information, but just not in the same highly targeted, sniper-type fashion. But whatever approach is taken, the cornerstone to every one of these types of attacks that deposit some type of targeted malware is the payload.

This brings me to a poll question I’d like to ask you: What’s the most important step to stopping malware payloads? Said differently, if you could only do ONE thing to stop these attacks, which approach would you take? I’d love to get your feedback on it.

While organizations focus on their business growth, they are also forced to contend with cyber criminals targeting their corporate networks to steal valuable information that can make them lots of money. As a result, evolving fraud professionals are truly changing how businesses protect their private data and fight cyber crime.

As more and more of these targeted attacks go undetected by antivirus solutions, by the time a company realizes they’ve been hit, the malware has done its damage, stolen data and the company moves into recovery and crisis management mode.

In the article, “Top 5 strategies for combating modern computer security threats,” it highlights that one of the reasons hackers have had so much success breaking in is because the corporate network perimeter has dissolved; the IT architecture that once protected office-based desktops and servers by a gateway firewall has crumbled. Adding to the problem is the daunting challenge for IT professionals to secure their networks against targeted threats and other exploits — at the web, email and endpoint — while operating with constrained budgets.

While businesses certainly understand they need to do a better job controlling and protecting their endpoints, the next question is how. The article points out some key strategies in doing so:

Strategy 1: Relying solely on traditional blacklist-based solutions to keep up with new malware being released every day is no longer effective.

Strategy 2: Large volumes of rapidly mutating malware require proactive, zero-day protection to protect against threats not seen yet.

Strategy 3: Finely controlling network access reduces the risk of infection and ensures security policies are being complied with by all computers.

Strategy 4: As legitimate but unauthorized applications introduce malware to a corporate network, application whitelisting prevents unauthorized and malicious software from running.

Strategy 5: Controlling and encrypting devices protects the data and ensures no unauthorized person can access it or the rest of their IT infrastructure.

As I mentioned in my previous posting, as cyber crimes evolve, so must our methods to stop them. While traditional antivirus has worked in the past, the game has changed. Organizations need to take a different approach — one that encompasses a variety of techniques including application whitelisting — if they are going to succeed at protecting their networks from modern attacks and malware.

Further evidence of these targeted attacks surfaced last week when three websites belonging to the U.S. Department of the Treasury were hacked and serving malicious software. The malicious code redirected site visitors to a website in Ukraine that launched a variety of Web-based attacks.

In the article, “Modern hack attacks are developing a laser focus,” it highlights that cyber criminals have shifted to more information-centric attacks to obtain data with the highest possible value. The article broke down the four stages of a modern day targeted attack:

Stage 1: Incursion — Today, hackers leverage social engineering techniques to get the malware onto the endpoint. This approach is very targeted, often with a cyber thief using social media such as Facebook to gather information about a prospective target. The attack is designed to lure the victim to trust the email message or attachment with a unique malware-infected payload. Often these attacks and the malware are unique to the specific person and their organization, allowing the thief to find and steal important information that can be monetized, such as intellectual property or payment card data.

Stage 2: Discovery — This phase often uses unique malware that is spawned by the initial entry malware to scan and discover the desired information within the network. The incursion and discovery phases are very discrete. The malware hides inside the network inspecting and searching looking for specific targeted information. Once the hackers find what they want, the data extraction happens very quickly.

Stage 3: Capture and Stage 4: Exfiltration — Once the hacker finds what they are looking for, the data capture and exfiltration stages are fast and noisy. This is typically the first time most organizations realize they’ve been breached. By the time the organization detects the breach, analyzes the situation, develops a solution and takes action, the data is long gone and the damage is already done.

As the article points out, the way most enterprises protect their private data today leaves many openings for hackers to exploit and hide their malware.

1. Compliance — Most organizations have difficulty consistently enforcing the IT policies. Over time, configurations and changes to the same servers and endpoints — combined with patches not being applied in a timely fashion — allows malware to burrow and gather information without being detected by antivirus and traditional security tools.

2. Protecting information — While most organizations know where their critical information is primarily stored, sensitive data is often copied by employees and stored in places that may not be secure. Cyber criminals know this, which is why their malware spends so much time in the discovery stage. In many cases, breach investigation teams learn that data that was compromised was simply a copy of production data stored in unsecure locations.

3. Systems management — Organizations simply don’t know everything that lives on the network. Many times there are unknown systems attached to the network, and if an IT team doesn’t know about them, they can’t manage them. Gaps in patch management are a big contributor in breaches when malware exploits known vulnerabilities that have not been patched in a timely manner.

4. Infrastructure security — While most organizations have security in place, their growing and diverse infrastructure creates a lack of visibility across their entire environment. It becomes impossible to understand what is going on at any point in time.

What this all comes down to is modern day targeted attacks don’t lend themselves to today’s security solutions. Attacks and the malware they utilize are often unique to the targeted organization and will not be prevented by any traditional blacklisting endpoint security solutions such as antivirus. As cyber crime evolves, so should the tactics used to stop them. On Thursday, I’ll explore strategies for combating these modern threats and how organizations can regain control over their sensitive data.