Case Study – Make Your Practice Unattractive to Cyber Attackers

Nearly every day in the news, we hear about more attacks on medical practices and businesses. This is an ever-increasing trend that shows no sign of stopping. There is money to be made from stolen data or networks held to ransom. Small practices and businesses often don’t have the resources to properly protect their networks from the onslaught of attacks. Ransomware, one of the biggest threats, saw an increase of 195% in the first quarter of 2019, according to a report by Malwarebytes. The key to preventing this is to make your practice unattractive to cyber attackers.

Small practices and businesses often think that their size will protect them from attacks. After all, who wants to go after a small target. The answer may surprise you. According to a study by Inc. Magazine, 50% of all attacks target the small business sector. The reason is that small targets are usually easy targets and attackers know they can make easy money.

This week’s case study is a bit different. Our previous case studies were of what not to do. But this week’s will be an example of how good defense kept out a determined attacker. You will learn ways to make your practice unattractive to cyber attackers based on what has worked for others.

What happened?

Recently a small practice that my company manages the IT and security for, came under attack. The first indication was an enormous amount of phishing emails that were sent to nearly every address that the practice uses. From there, the firewall logs showed an increase in daily intrusion attempts and scanning of open ports. In addition, there were brute force attacks on the practice’s website and web email accounts. Finally, the attacker resorted to emailing malware to the employees. The attacks were relentless for a period of about two weeks.

Breakdown

The staff reporting a series of suspicious emails to their practice manager. The staff underwent phishing training within the last 3 months and was somewhat familiar with what to look for. The emails were pretending to be from UPS and while the office did receive packages from UPS, staff members should not have been receiving them. Other staff noticed that the from email address that the phishing attempts used were not from the UPS domain. The practice manager reported the emails to us and we began to track the source.

The firewall alerted us to an increase in attacks and they were focused on the RDP port of TCP 3389. This means that the attacker was trying to gain remote access to the network via Windows Terminal Services. This is a very common method of attacking a network. Most practices don’t use a VPN to protect remote workers and simply allow the traffic in. The attacks came from many different sources all around the world. But since they were all around the same time, it can be deduced to me from the same attacker. The firewall blocked all of these attacks and after a certain number, banned the source from connecting to it at all.

The website also started to receive a great number of failed login attempts from around the world. Someone was trying to break into the website’s admin account. In the end, there were over 10,000 attempts to break into the admin account. Each one was blocked and the source address blacklisted. The site also uses two-factor authentication so even if the password had been broken, the attacker would not have gained access. After 7 days, the attacks stopped.

And the attacker tries one more thing…

The final attack came when the employees were flooded with emails containing malware. This is a form of phishing but different than the UPS phishing emails sent earlier. These pretended to be from the IRS claiming that the employee had filed an incorrect tax return and that the IRS was going to debit $4,345.23 from their bank account. The email had an attachment that purported to be the incorrect return. However, it was a trojan that would have given access to the network remotely to the attacker. The practice’s anti-malware software caught and quarantined each email and the employees never saw them.

What was the result?

After going through all of the logs and other information, we were able to determine the attacker was in Pakistan. Beyond that, locating an exact place would be impossible. The attacker tried to breach the practice with the easiest techniques available to them. Each of the attacks was automated and required the least effort to perform. With tools publicly available, anyone could perform these same attacks.

The attacker started with the easiest which is sending a phishing email. Phishing is the single greatest threat to small practices and businesses. It is easy to set up and send out. It also has a high rate of success as phishing relies on human emotions to be effective.

From there, the attacker proceeded to try and break through the firewall. This is also trivial to do with the right tools. The scans were focused on a single vulnerability that the attacker thought would be an easy win. For a practice without a firewall, it might have been successful. In this case, the firewall acted and defended the practice.

Unprepared website attack

The website wasn’t spared and this attack was also completely automated. In the attack, we could see that the attacker was focused on the admin account for the site. That account had been renamed and all attempts to access the admin account were automatically blocked. This showed a lack of sophistication on the part of the attacker as they didn’t bother to try and find valid usernames to attack.

The final part of the attack resorted to simple malware attached to phishing emails. These can be created and managed from software that completely automates the process. In our investigation, we found that the attacker was sending email to thousands of addresses at the site. This meant the attacker hadn’t bothered to locate valid addresses for the practice. This type of attack is noisy as it creates a lot of entries in the log files. It is easy to spot and shows laziness on the part of the attacker.

How to make your practice unattractive to cyber attackers

Police officers will advise citizens that two things can make a big difference in deterring crimes such as muggings. The first is to be aware of your surrounds so that the bad guys can see that you see them. Muggers want to surprise you and if you are paying attention, they can’t do that. The second is to act with confidence as you walk. This sends a signal to the mugger that you are not going to be an easy target. That will likely cause them to look for another easier target.

That is the main point. Make yourself harder to attack and the attacker will likely move on to someone less prepared.

Your network is no different. The type of cyber attacker that is targeting you is not a world-class hacker working for Chinese Intelligence. They are usually what are known as script kiddies. They use tools built by someone else looking for the easiest possible targets to break into. Sometimes it’s just to test skills but usually its about money. If they can steal your data, they can sell it on the Dark Web. Ransomware is also an easy way for them to make money from you. Small practices need their data and if they have no other way to restore it, will likely pay the ransom. Easy money for a low amount of risk.

Step 1 – Dependable Backup System

The first step is to make sure you have a solid backup strategy. Ideally, you want to follow the 3-2-1 approach to backing up data. This involves having (3) copies of your data on (2) different types of storage and (1) being completely offsite.

Here is an example of how that would work:

Original data is on your server – first copy of your data

You also would use a USB drive plugged into your server that contains a series of backups, perhaps 5 days of your data. This is the second copy of your data on a separate type of storage.

A final backup would either be a second USB drive that is rotated offsite periodically or a cloud-based backup service. Either way, it needs to be physically removed from your office and offsite.

This is a simplistic backup system that can be tailored for your specific needs. Your data set may be too large to send to the cloud and you prefer multiple USB external drives. This is also a good way to handle your offsite backup. But make sure the drives are encrypted. If they are not and the drive is lost or stolen, you have a HIPAA situation.

One other thing to consider for cloud backup services. Not all services work the same way. If you had several hundred gigabytes of data stored in the cloud, depending on your internet connection, this could take a very long time to download and restore. The lower-cost companies don’t provide a way to help you get your data faster in the event of an emergency. However, some companies will offer to ship you a hard drive overnight with all of your data so that you can restore much more quickly. These services cost more but when the emergency strikes, it is well worth it.

One final note on backups. Be sure to test your backups. Many people set up a backup system and then let it run. They assume it is working as it should. But when they need it, they find that it hasn’t backed up properly in a long time. This gives a false sense of security. Test your backups periodically so that you can be certain they are working as you expect.

Step 2 – Network firewall

The routers provided by your internet providers are not firewalls. Even if your vendor tells you they are, they are not. They will not offer you any level of protection and many have been breached. Recently, devices used by AT&T Uverse were able to be breached giving attackers full access to the customer’s network.

In addition, the consumer-grade routers that are usually purchased at Best Buy or from Amazon also offer no protection. These devices, even when marketed as a firewall, often have numerous vulnerabilities. Manufacturers of these devices often do not release updates to address these issues. These leaves the devices unpatched and very vulnerable. A recent study found that, on average, these devices had 172 vulnerabilities PER DEVICE.

To protect your practice, purchase and install a true business-grade firewall. This will protect your internet connection from outside attacks. Firewalls also monitor your outgoing traffic as well. This can alert you if large amounts of data are leaving your network such as data theft.

Examples of good firewalls can be found from vendors such as Cisco, Sonicwall, and pfSense.

Step 3 – Anti-malware software

In the past, this was referred to as anti-virus software. The types of threats have changed so the defensive software has changed too. Anti-malware software will protect you against the newest malware threat types such as ransomware, keyloggers, and rootkits. Be sure to purchase the full version of this software and don’t rely on free versions. Free versions often lack the ability to do real-time scanning. This is where the software actively watches for signs of malware in the background. Free versions are usually only able to perform a manual scan. This will only tell you that you are already infected.

Examples of good vendors to purchase anti-malware software from would be: Malwarebytes, ESET, and Webroot.

Step 4 – Strong passwords

Passwords are the most commonly used form of security. We use them every day to log into our computers, phones, and websites. But most people use very weak passwords. These passwords present no challenge to hackers and can be broken very quickly. You must use strong passwords on all of your computers, websites, and apps.

Strong passwords use a combination of upper and lower letters, numbers, special characters, and should be longer than 12 characters. Finally, whatever password you choose shouldn’t be a common word or something found in a dictionary. Hackers have compiled huge databases of common passwords that users have chosen. Just because you think its clever doesn’t mean it is. Make the password as random as possible. You can read a complete guide on strong passwords here.

Step 5 – Training for your staff

Your staff is often the weakest link in your security. If someone were to fall prey to a phishing email and allowed an attacker into your network, then many of your defenses are already breached. This is why it is very important to provide training for your staff. Topics such as phishing, password security, and good internet surfing habits are very good places to start. Google offers free phishing training that can be taken here.

There are many online services that offer security awareness training for office staff. Many are very affordable or even free. Make training a priority and follow it up a few times throughout the year.

Following these steps will make your network look like too much work for an attacker. Your goal should be to convince them to look elsewhere instead of trying to break into your network. These 5 steps will do that for you.