Ain't Just for Us Country Folk Anymore!

AIN’T JUST FOR US COUNTRY FOLK ANYMORE!

Q2 - 2016 COMPLIANCE EDUCATION PARHEZ SATTAR, INFORMATION SECURITY OFFICER SALLY SHEEHY, COMPLIANCE COORDINATOR GRANDE RONDE HOSPITAL CYBER CRIME

Cyber crime refers to any crime that involves a computer and a network. Offenses are primarily committed through the internet.

• Common examples of cyber crime include: • Credit card fraud • Spam • Identity theft

• Health care information is a high value target

• Hackers work daily to target information systems SOCIAL ENGINEERING

Social engineering is the art of manipulating and exploiting human behavior to gain unauthorized access to systems and information for fraudulent or criminal purposes. • Social engineering attacks are more common and more successful than computer hacking attacks against the network. • Social engineering attacks are based on natural human desires like: • Trust • Desire to help • Desire to avoid conflict • Fear • Curiosity • Ignorance and carelessness

Social engineers will gain information by exploiting the desire of humans to trust and help each other. PHISHING

• Phishing is a social engineering scam whereby intruders seek access to your personal information or passwords by posing as a legitimate business or organization with legitimate reason to request information. • Phishing emails often contain spyware designed to give remote control to your computer or track your online activities. • Usually an email (or text) alerts you to a problem with your account and asks you to click on a link and provide information to correct the situation.

• These emails look real and often claim to have been sent by someone that we “trust” and contain a familiar organization’s logo and trademark. The URL in the email resembles a legitimate web address. • For example, “https://aaa.securegrh.org” PUTTING STAFF TO THE TEST

In December, GRH hired an information security consulting firm to perform a social engineering exercise to identify vulnerabilities in our internal network and environment. A spoofing email that looked like it came from Parhez Sattar, Senior Director IT, was designed to trick employees into signing over their AAA portal usernames and passwords. Eight percent of the target Notice the audience fell for the ruse altered GRH and submitted their address in the email link. credentials through the malicious portal. USER BEWARE

Clicking on the link led the deceived users to this fake site, which was designed to appear very similar to our real AAA portal access site. In a few short minutes, 8 percent of our workforce handed over the keys to our IT systems. PHISHING EXAMPLE

Phishing emails are designed to fool us and they appear to be legitimate. Take a look at another real-life example:

If you receive such an email, simply ignore or delete it. If you receive it at work, call IT. DON’T TAKE THE BAIT!

NEVER provide your password to anyone via email. Be suspicious of any email that: • Requests personal information. • Contains spelling and/or grammatical errors. • Asks you to click on a link. • Is unexpected or from a company or organization with whom you do not have a relationship. If you are suspicious of an email: • Do not open the message. • Do not open any attachments in the email (don’t even click on them). • Do not click on any link embedded within the message. • Make a note about the subject line (who it’s from, when it was received), and then delete the message. • Notify the IT Helpdesk by dialing or emailing “1410.” WHAT IS PHARMING?

Pharming is a scam whereby hackers install malicious code to redirect Internet users to a bogus website that mimics the appearance of a legitimate one, in order to obtain personal information such as user names, passwords, account numbers, etc.

Phishing vs. Pharming…what’s the difference? Phishing involves getting a user to enter personal information via a fake website, email, attachment, link or pop- up. Pharming involves the hacker “hijacking” the intended site’s DNS (domain name server), which causes users to be redirected to an imposter site that looks like the real site. RANSOMWARE: WHY HOSPITALS ARE WORRIED

Ransomware attacks are the latest in cyber Recently, a hospital that scams on the Internet. Ransomware is a type of became the victim of a malware virus used by cyber criminals to take ransomware attack lost over an entity’s computer network by encrypting access to its clinical and and preventing authorized users from accessing billing systems and suffered other disruptions information on an affected network. It is typically in its services, such as delivered via email, and involves a combination having to divert of social engineering and technical subterfuge. emergency patients to other hospitals. Although When a recipient opens the deceptive email the hospital contained the message and clicks on the attachment, the threat and declared that ransomware is executed on the computer system no evidence suggested and infects all digital devices that are actively that patient or employee linked to the infected device. One form of information was accessed, the hospital ransomware has hackers sending a message to did pay a $17,000 the victim’s infected device and demanding a ransom in the interest of ransom payment in exchange for a decryption restoring its operations as key to unlock the data. quickly as possible. HOW PREPARED ARE WE TO DEFEND OURSELVES?

The following is a real email that was sent to several GRH employees in February. The email appears to be sent from Accounting to inform people about an attached email from the IRS. At first glance, seems legit, right? Wrong! When an employee opened the attachment, a KEYLOGGER virus was downloaded onto the computer which was designed to record every keystroke the employee made. Fortunately, the computer was confiscated right away before sensitive information, such as passwords or other confidential data, could be transmitted to the bad guys. BEST PRACTICES TO SECURE IT ASSETS

The tips in these next few slides can be used to protect your home computer as well as All phishing attacks fit into the same work computer. general information flow: 1. A suspicious email is sent to • Criminals can use your personal you. information to steal your identity and ruin 2. You take an action that might your finances. compromise your personal information. • Protecting yourself and your family on the 3. You are then prompted for personal and confidential Internet at home is just as important as information. This can happen by protecting information systems at work. means of a remote website or by a local “web Trojan” or virus. • Always use caution about giving out 4. You compromise your personal personal information over the Internet. information. 5. Your confidential information is Luckily, companies have begun to employ then forwarded from a “phishing tactics to fight against scammers, but they server” to the attacking “phisher.” cannot fully protect you on their own. 6. The phisher is using your private information to impersonate you. • If you are not sure if a message is 7. The phisher will then use that information to commit your legitimate, don’t click on the links or open identity theft. the attachments. Only open if you are expecting the message. BEST PRACTICES TO SECURE IT ASSETS

• Rather than clicking on a message with links, manually go to the site (i.e. IRS, Bank, e-Commerce, whatever) and log on directly after you feel confident that it is a legitimate site. • All legitimate sites should have an address with https:// if collecting any kind of sensitive information or payments. Check the http address. When you get to the page where you're asked to enter personal information, the http should change to https. The "s" stands for secure.

Who’s at risk? Anyone who uses the Internet and has online banking, credit card, and shopping accounts is at risk to pharming and phishing attacks. BEST PRACTICES TO SECURE IT ASSETS

An attacker obscures the actual URL by overlaying a legitimate looking address or by using a similarly spelled URL. Check the Web browser's address bar to make sure the spelling is correct. For example, when you type https://www.paypal.com, you should see that address. But the address for a pharmed site might have paypal in the name, but it’s bogus. Don’t be fooled! Look for a padlock or key on the bottom of your browser or your computer task bar. A locked padlock, or a key, indicates a secure, encrypted connection and an unlocked padlock, or a broken key, indicates an unsecured connection. MORE GENERAL TIPS TO PROTECT YOURSELF AGAINST CYBER CRIME

Guard against spam: 1) Install spam filtering/blocking software. Anti-spam software examines incoming email to try and separate spam from legitimate messages. Filtering software can automatically identify and detect spam, or offensive emails, and prevents those messages from reaching your inbox. 2) Do not respond to suspicious emails. If you suspect an email is spam, do not respond, just delete it. Do not click on or open any attachments. And do not click on any email links asking to be taken off the sender's list -- sometimes unsubscribe links are phony, and your response only confirms the accuracy of your email address and could result in even more unwanted messages. 3) Set up a disposable email address. Have a secondary -- or disposable -- email address for public use, such as a free web email account. Use that email when you're registering for web services or signing up for online newsletters. 4) Create an email name that's tough to crack. Some spammers use computer programs to guess email addresses. Research shows that email addresses containing numbers, letters and underscores are more difficult to guess and tend to receive less spam. 5) View emails in plain text. Spam written in HTML (the code used to create web pages) can contain programs that re-direct your web browser to an advertising page. Images in emails can be adapted to send messages back to the spammer. Spammers use these images to locate active email addresses for future spamming. To play it safe, from your email program's main menu, select Preferences and choose to read emails in plain text. 6) Be especially cautious of emails that: • Come from unrecognized senders, or senders whose e-mail address seems unlikely to be legit. • Ask you to confirm personal or financial information over the Internet and/or make urgent requests for this information. • Aren’t personalized. • Try to upset you into acting quickly by threatening you with frightening information. MORE GENERAL TIPS TO PROTECT YOURSELF AGAINST CYBER CRIME

Communicate personal information only via phone or secure web sites. In fact: • Beware of phone phishing schemes. Do not divulge personal information over the phone unless you initiate the call. Be cautious of emails that ask you to call a phone number to update your account information as well. • Never email personal or financial information, even if you are close with the recipient. You never know who may gain access to your email account, or to the person’s account to whom you are emailing. Beware of links in emails that ask for personal information, even if the email appears to come from an enterprise you do business with. Phishing web sites often copy the entire look of a legitimate web site, making it appear authentic. To be safe, call the legitimate enterprise first to see if they really sent that email to you. After all, businesses should not request personal information to be sent via email. Beware of pop-ups : • Never enter personal information in a pop-up screen. • Do not click on links in a pop-up screen. • Do not copy web addresses into your browser from pop-ups. • Legitimate enterprises should never ask you to submit personal information in pop-up screens, so don’t do it! Check your online accounts and bank statements regularly to ensure that no unauthorized transactions have been made. AND FINALLY…

Back up your home computer regularly and protect it with effective, up-to-date virus protection (at work, IT will do that). Do some research to ensure you are getting the most up-to- date software, and update them all regularly to ensure that you are blocking new viruses and spyware. TEST YOUR KNOWLEDGE

1. What is the goal of information security? a. Ensure that employee passwords contain at least eight characters. b. Protect the confidentiality, availability, and integrity of information and information systems. c. Eliminate all threats to information systems. d. Provide a lock for all file cabinets in the building. TEST YOUR KNOWLEDGE

2. A phishing email: a. Is a type of social engineering attack. b. Can appear to be from an organization that you recognize, like Grande Ronde Hospital. c. Can contain a link to a website that asks you for personal information. d. All of the above. TEST YOUR KNOWLEDGE

3. Which password is the most secure? a. Linda12 b. 123Abc c. B&H17Plu$3428 d. Big_Apple! TEST YOUR KNOWLEDGE

4. A spoofing email is an email made to appear as if it came from somewhere or someone other than the actual source. a. True b. False TEST YOUR KNOWLEDGE

5. All of the following cyber-attacks are forms of ransomware scams. In this presentation, which ransomware scam did the hackers use to extort the hospital? a. Hacker’s malware surreptitiously encrypted victim's data, while hacker sells anti- ransomware software on legitimate websites. b. Hackers hijacked victim’s data; victim paid a ransom to have data restored. c. Hackers duped victim into believing victim was in possession of unlicensed software on computers; victim paid an electronic fine. TEST YOUR KNOWLEDGE