Use a Zero Trust Security Model

It sounds harsh. Can we trust no one when it comes to internet security?

This is the advice being given now, in the wake of a new cybersecurity advisory issued jointly by the U.S., the U.K., Canada, the Netherlands, and New Zealand. The advisory discusses common initial access tactics used by threat actors to hack into networks to steal data. Healthcare continues to be a prime target of cyber criminals because of the black market value of protected health information (PHI).

Not surprisingly, the access tactics commonly used are not that sophisticated. Basic misconfigurations and poor cyber hygiene often give cyber criminals the leverage they need to exploit their victims. The advisory opens with:

“Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.”

The good news is that there are some easy ways to harden your protections and greatly reduce the risk of exploitation and theft.

Common Weak Security Mistakes

Ten common mistakes below are excerpted from the advisory:

• Multifactor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers. Do not exclude any user, particularly administrators, from an MFA requirement.
• Incorrectly applied privileges or permissions and errors within access control lists. These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects.
• Software is not up to date. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices.
• Use of vendor-supplied default configurations or default login usernames and passwords. Many software and hardware products come “out of the box” with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit.
• Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services, especially after the pandemic caused so many to work from home.
• Strong password policies are not implemented. Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system.
• Cloud services are unprotected. Misconfigured cloud services are common targets for cyber actors.
• Open ports and misconfigured services are exposed to the internet. This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.
• Failure to detect or block phishing attempts. Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails.
• Poor endpoint detection and response. Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against.

Take These Mitigation Steps

The following are excerpts from the advisory. Read the full report for more detail and guidance.

• Control Access – Adopt a zero-trust security model that eliminates implicit trust in any one element, node, or service, and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses; limit the ability of a local administrator account to log in from a remote session; Control who has access to your data and services. Give personnel access only to the data, rights, and systems they need to perform their job, i.e., role-based access is required for example, by the HIPAA Security Rule.
• Implement Credential Hardening – Implement multi-factor authentication and enforce it with all users; change or disable vendor-supplied default usernames and passwords and enforce the use of strong passwords.
• Establish Centralized Log Management – Make sure each application and system generates sufficient log information. Log files play a key role in detecting attacks and dealing with incidents.
• Employ Antivirus Programs – Use anti-malware programs on workstations to prevent spyware, adware, and malware and keep them up to date.
• Employ Detection Tools and Search for Vulnerabilities – use endpoint and detection response tools; use penetration testing to identify misconfigurations and vulnerability scanning to detect and address application vulnerabilities; use cloud service provider tools to detect overshared cloud storage and monitor for abnormal accesses.
• Maintain Rigorous Configuration Management Programs – Operate services exposed on internet-accessible hosts with secure configurations.
• Initiate a Software and Patch Management Program – Implement a patch management procedure to keep software up to date.

Although not listed in the mitigation steps, cybersecurity training for personnel is essential. Hardening systems is critically important, but people are operating email, data entry, data storage and communications, internal and external. People need help understanding cybersecurity techniques, and how to detect and avoid phishing, still one of the most common entry points for cyber thieves.

HIPAA is a Blueprint to Fight Cyber Crime

Each of the mitigation steps listed in the advisory is covered in the Security Rule Checklist of The HIPAA E-Tool^®. If you carefully follow HIPAA, conduct a risk analysis every year, and don’t take shortcuts, you can defend against the most common ways cyber criminals access your data.