Cybercrime: A Death in Meatspace

Hospital Setting Sorry Mr. Schmidt, we didn't patch our infrastructure and the machine that goes beep that was keeping you alive got hacked. Goodbye.

For a long time, just like there used to be a bright line between inside the firewall and outside the firewall, there was a bright line between things that could impact you in cyberspace and things that could impact you in meatspace.

The traditional view was that cybercrimes could impact systems, particularly financial ones, but that the impact of cybercrime would largely remain confined to cyberspace while in the physical world, meatspace, we would be mostly unaffected.

There was recently a tragic ransomware attack on a hospital in Dusseldorf, Germany. This attack caused outages that forced the local clinic to reroute inbound patients to other facilities. In the case of one unfortunate 78 year old aneurism patient, the rerouting to another town 20 miles away resulted in a delay in treatment that ultimately contributed to the patient dying.

There are a number of things to unpack in this tragedy.

One is that healthcare is a vulnerable industry. IT and networks services are increasingly key to delivering the best possible medical care. However, there are issues including the complex interplay between instrument/equipment certification, OS/software versions and updates that can result in hospital and other networked medical gear being relatively vulnerable to attack.

Another element to unpack is the tremendous need to patch and update key infrastructure. Sure you may have some reason why your xray or CAT scan gear can’t be updated – configure your network appropriately to block traffic (or air gap) equipment like this. However, for remote access and other infrastructure, there is no excuse.

A further aspect to grapple with is how your organization is going to respond to ransomware if infected. What are your backups looking like? How far can you go back? How far would you have to go back? When did you last test your ability to restore? Remember, everyone’s backups tend to run fine, but it is doing the restores that can be tricky.

If you are using this tragedy as a reason to take a look at your network and security posture, a couple things to consider include:

Lossless Visibility – do you have it? Many organizations are running a security fabric using network packet brokers and other gear to feed their security tools. One important consideration is whether or not your packet brokers are dropping traffic. We have seen some solutions drop traffic, particularly when software-based solutions are hit with heavy traffic. Look for hardware acceleration and an architecture that prevents dropped packets. This video helps break it down: https://www.youtube.com/watch?v=60S0ejirvqk

Ongoing Assessment – are you doing it? It is one thing to do a one-off pen test. Great to do, but only useful as a view into a particular slice of time. There are tools, like Threat Simulator, that provide continual, ongoing assessment. Better yet, when Threat Sim finds a problem, it provides easy to follow, easy to understand step by step instructions for remediation. We think this is a really cool product – so much so that we did a Dummies Book on the topic: Breach and Attack Simulation for Dummies.

Anyway, stay safe and patch up.

Thanks for reading.

limit
3