CYBER SECURITY THREAT REPORT Q1 Moving Forward Published by UMC IT Security April 2015 0
U.S. computer networks and databases are under daily cyber-attack by nation states, international crime organizations, subnational groups, and individual hackers. - John Brennan There are two kinds of people in America today: those who have experienced a foreign cyber-attack and know it, and those who have experienced a foreign cyber-attack and don't know it. - Frank Wolf Table of Contents Glossary of Terms 2 Introduction 3 National and Global Incidents 4 Analysis and Conclusions 5 1
Glossary of Terms Malware (MALicious SoftWARE) is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software Social Engineering - In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility. Phishing a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. Spear Phishing is phishing that is targeted to a specific person or organization seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information. 2
Introduction The UMC Health System Information Security team understands the risk of emerging cyber threats. Cyber threats are continually evolving, searching and finding new ways of infecting computers and attacking our networks to gather their data. Each and every day cybercriminals target a vast amount of electronic data, from breaches in the retail sector, to data leaks at various healthcare organizations. What are we doing at UMC Health System to help alleviate and prevent some of these serious issues? We are working diligently to ensure that all of our patient and employee data is secure and that all of our systems are up-to-date to match industry standards. We are also working to bring new systems online that will help detect any attempted breaches of our networks. We monitor our networks daily and ensure that we have the latest threat information available. The weakest link in any cyber security threat is always the end user. Knowledge is power and we are engaging both our leaders and users to help educate them on the latest threats and provide them with the capability to thwart these attacks both at UMC Health System and at home. We can build a multi-million dollar security system but if one user opens the door to the cyber threat by clicking malicious links in a phishing email or visiting infected sites they basically let the threat in through the backdoor. This report is published every quarter, provided to UMC Health System leadership in hopes of providing an overview of the real and current threat that exists both nationally, as reported by various cyber security organizations, and within the UMC Health System computing environment. 3
National and Global Incidents The following are some of the Incidents that happened across the globe. It was discovered at the end of January that healthcare.gov was leaking private data to some third party websites. * https://nakedsecurity.sophos.com/2015/01/23/how-the-obamacare-website-healthcare-gov-leaks-private-data/ Researches at a security company discovered that the Syrian Opposition Army was hacked through Social Engineering when young women sympathetic to the movement used Skype and PDF documents with remote access Trojans (RATS) to spy and steal information. * http://www.darkreading.com/mobile/syrian-opposition-forces-social-engineered-and-hacked/d/d-id/1318909 The first few days of February is when everybody learned that Anthem (the nation s second largest health insurer) was breach. According to an Anthem statement the following were impacted: 80 million records, Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The impacted customers have received two years paid for identify protection services, this according to a potential affected customer. * http://krebsonsecurity.com/2015/02/data-breach-at-health-insurer-anthem-could-impact-millions President Obama has launched the Cyberthreat Intel-Sharing Center and its primary purpose will be to analyze and integrate intelligence already collected. * http://www.darkreading.com/analytics/threat-intelligence/obama-launches-cyberthreat-intel-sharing-center-/d/d-id/1319061. It was reported in the middle of February that 100 targets, mostly banks, where hit and losses ranged from $2.5 million to $10 million dollars per institution, total losses could be as high as $1 billion dollars. The advance persistent threat (APT) used is being called carbanak. It is believed that spear phishing was the initial cause. * https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/ * http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/carbanak_apt_eng.pdf FREAK is the name given to a recently found bug that effects TLS/SSL, for all the non-nerds out there that give HTTPS the S, you may notice the big padlock on your browser. FREAK allows give an individual the ability to listen and change the information between you and your destination server. This is known as a man in the middle attack. * https://nakedsecurity.sophos.com/2015/03/04/the-freak-bug-in-tlsssl-what-you-need-to-know/ At the end of the quarter it was reported that Microsoft will by going away from Internet Explorer (IE) and will be coming out with a new browser code named Project Spartan. This seems to be a very slow phase out and it is rumored that IE won t be the default browser on Windows 10. * https://nakedsecurity.sophos.com/2015/03/23/microsofts-project-spartan-browser-will-replace-internet-explorer-but-slowly/ 4
Analysis & Conclusion Given that cyber incidents are increasing nationally, the fact that analysis shows the medical field as a whole is behind in cyber security compared to other sectors, and that we are increasing network visibility we will see a lot more incidents at UMC Health System. We not only believe that the number of threats will increase, but the attacks will become more sophisticated. Given the growth of the organization and the well-deserved recognition that UMC receives for winning awards, like Most Wired, we feel that this could make us a target for some hackers both foreign and domestic. 5