How to Protect Against Ransomware Attacks 24 May, 2017

HOW TO PROTECT AGAINST RANSOMWARE ATTACKS 24 MAY, 2017

Visit us at www.ehr20.com

This session has been provided for educational and informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company.

EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations.  Education(Training, Webinar & E-Learning)  Consulting Services  Toolkit(Tools, Best Practices & Checklist)

© 2017 EHR 2.0. All rights reserved. To purchase reprints of this document, please email [email protected]. About Craig Petronella • Top cybersecurity expert and IT authority in Raleigh, NC. • Author of multiple books, including How HIPAA Can Crush Your Medical Practice and Peace of Mind Computer Support. • 30+ years advising clients & protecting computer information. • Makes sure your business network works when you need it the most, and is a celebrity in his field and hometown. • Frequently quoted on ABC, CBS, NBC, News14, PRNews Wire, and Newsobserver.com for his expertise in protecting local businesses and medical practice owners from hackers halfway around the world in places such as Ukraine, Russia, and China. • Petronella Technology Group, Inc. is the creator of the only unique and proprietary, multi-layered security that guarantees 100% safety from zero-hour hackers. 100% hacker-proof security or we pay you $1,000. Guaranteed. WannaCry Update Consequences

• Worldwide Cyberattack (300k+ orgs.)

• Majority impact is on windows platform (Obsolete versions)

• Ransom as bitcoin wallets ($90k collected)

• Restoring from backup copies is the quickest workaround

• Install software updates ASAP What is Cybersecurity?

Like all things digital, both sides of C yber security is critical in today’s cybersecurity are in a constant state of economy. As the Digital Age consumes innovation. A constant struggle. The bad most of today’s transactions, more data guys want in, and we want them out. becomes vulnerable. Cybersecurity involves both physical And while protection is most commonly protection as well as digital. One can just as viewed as keeping private data secure, easily hack into a network as they can walk cybersecurity also ensures that networks and the data they contain are fully out the front door with a hard drive if there are operational and available. inadequate protections in place. The end game for cybersecurity is to protect your data over the course of a transaction and while stored. Why Should I Care About Cybersecurity? Consequences

As part of the SMB community, you face other consequences in failing to protect personal information and your computer

They include:

• Loss of access to the computing network

• Loss of confidentiality, integrity, and/or availability of information, research and/or personal electronic data

• Lawsuits, loss of public trust and/or business opportunities, prosecution, internal disciplinary action, or termination of employment Cyber-Safety Threats Threats

malware virus spyware Let’s discuss common cyber threats and problems they cause. ransomware

hackers identity thieves The Digital War has Begun

The global battle to steal your secrets is turning hackers into arms dealers

July, 2014 Did You Know Your Smartphone Stores Every Keystroke You’ve Ever Typed?

There's an application that can record every Hackers are Targeting: keystroke you've ever typed on your smartphone, even an iPhone. It's not a sinister Trojan, or an • Banking Industry – Large Dollar Transactions evil keylogger. It's simply the database that the phone draws on to supply AutoComplete results. • Retailers – Large Quantities of Credit Cards You can't dig in and see the keystrokes yourself, but external software (malicious apps) can read • Corporations – Intellectual Property back that database and thus read out every text or email you've sent and, more important, every • Consumers – Identity Theft password you've typed. • Government – Secrets & Espionage

• HealthCare – Personal Health Information

• Entertainment Industry – Cyber Revenge Rubenking, Neil J. "RSA: Your SmartPhone Stores Every Keystroke You Ever Typed" securitywatch.pcmag.com. February 26, 2013, http://securitywatch.pcmag.com/security- software/308519-rsa-your-smartphone-stores-every-keystroke-you-ever-typed Recent Notable Breaches The Target Breach

The forensics report revealed that Target was breached because a hacker sent an infected email to Targets third-party HVAC vendor. The infected email contained a keylogger which stole the vendor’s login credentials. JP Morgan Chase Breach:

People familiar with the investigation said the evidence gathered so far revealed that hackers were able to make a significant foray into J.P. Morgan's computer FBI probes hacking incident at system. People with knowledge of the probe said it appeared between two and five U.S. financial J.P. Morgan; attack appears to institutions may have been affected. The names of all have been caused by targeted banks couldn't be immediately determined. Malicious computer code. J.P. Morgan and federal cyber investigators are in discussions as they examine the apparent attack on the bank's computer system, forensics revealed that Malware was the cause. "Companies of our size unfortunately experience cyberattacks nearly every day," said Trish Wexler, a J.P. Morgan spokeswoman said Wednesday. "We have multiple layers of defense to counteract any threats and constantly monitor fraud levels." Home Depot Breach:

Forensics revealed that keylogging malware was found on employee computer systems. Community Health Systems

The APT Group used highly sophisticated malware to attack the company’s computer systems. Breach Commonalities

Malware (keyloggers) were used to steal credentials and remotely login or exfiltrate data. Regulator Fines are Increasing:

HHS deals out largest-ever $4.8M HIPAA violation settlement.

Parkview Health, OCR agree to $800K data breach settlement.

HHS fines Skagit, Washington $215K in first county HIPAA settlement. Highly Motivated Hackers

Credit cards go for $.50 cents - $1.00

PHI records go for $20.00 to $1500.00 DHS Warning

At the time of discovery and analysis, the malware variant “Backoff” had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.

July 31, 2014 Our Computers are Under Attack

In the last 12 months, over 600 million viruses were introduced on the Internet.

The best anti-virus software has about 20 million known virus definitions built into its database. 1.1 million viruses are added per day.

It takes an anti-virus company an average of 28-30 days before they can address a known virus it finds. Explosive Admission!

On May 7th, 2014, Symantec's senior vice president for information security, Brian Dye, told the Wall Street Journal that “anti-virus is dead".

He is leading Symantec towards a new approach that focuses on spotting hackers within a system and minimizing damage from them instead of trying to keep them out. "We don't think of antivirus as a moneymaker in any way," he told the Journal. 30,000 Web Sites Hacked A Day. How Do You Host Yours?

The majority of these 30,000 sites are legitimate small businesses that are unwittingly distributing malicious code for the cyber criminals. YOU might be one of them.

The hosting provider you choose is much like the neighborhood you choose to live in. A bad neighborhood breeds criminal activity. The homes that don’t have a security system, or just have stickers to deter criminals are at risk of being a Mark. The idea is the have as much security layers in place as possible, so cyber criminals move on to an easier target. Use as many security layers as possible. We utilize over 100 layers of security, where most of our competition use only a handful. Think of layers as a gated community, armed guards with machine guns, vicious guard dogs, several snipers on the roof, a SWAT team guarding your property with Rambo as your general. Lyne, James. "30,000 Web Sites Hacked A Day. How Do You Host Yours?" forbes.com. September 6, 2013, http://www.forbes.com/sites/jameslyne/2013/09/06/30000-web-sites-hacked- a-day-how-do-you-host-yours/#6bb6893b3a8c More than 70% of WordPress installations are vulnerable to hacker attacks

70% of Wordpress installations are vulnerable to hacker attacks. That’s just the vanilla installations! Every plugin & theme that’s installed is also a potential opportunity for a security breach. YOUR website might be one of them.

Abela, Robert. "Statistics Show Why WordPress is a Popular Hacker Target" wpwhitesecurity.com. December 6, 2014, https://www.wpwhitesecurity.com/wordpress-security- news-updates/statistics-70-percent-wordpress-installations-vulnerable/ You NEED Secure Website Hosting & Backup

Minimum Requirements:

• 57 Layers of Security Protection with weekly scans. • Block IP addresses of repeated failed login attempts. • Block certain countries you don’t do business with. • Automatic website backups stored for at least 3 weeks. • One-click restore capabilities • Website monitoring with heartbeat check at least every 15 mins. • Auto notification via text and/or email for website status. • SSL certificate

If you have an e-commerce website or want to increase conversions and security, consider adding a trust seal to your website. Daily, weekly or quarterly vulnerability scan options are available and ensure PCI compliance.

More info on secure website hosting can be found at http://petronellahosting.com/ You NEED Backup and Disaster Recovery

• You need a backup system that can capture everything—systems, applications, configuration settings, services, data—so you don’t risk losing irreplaceable data, custom applications, or your operating system. Onsite AND offsite.

• You need to run backups regularly, even while people work (they won’t even notice), and you’ll never risk losing more than a few minutes of data.

• You need to be testing your backup images regularly (at least once per week), to be sure your backups will work when a disaster strikes.

• You need a system that can recover a file or a folder or restore a whole system fast, to the same or different hardware, and avoid downtime and its costs.

• You need a solution that can support migrating to a new machine without losing uptime, and do so regardless of your hardware choice. Fundamental Rules for a Cybersecurity Strategy

1. You need to prevent the hackers from getting into your network. 2. You need to prevent the hackers from exfiltrating data out of your networks and from your remote users. 3. You need to prevent the hacker from stealing corporate data from your mobile devices browsers. 4. You need to prevent the hacker from stealing corporate & consumer data from your mobile applications. How to Protect Your Information:

1. Protect remote-access Out-of-Band Authentication: and online transactions Uses two channels to send login credentials and data instead of one. 2. Protect all desktops from Keystroke Encryption: Prevents data leakage hackers from stealing your keystrokes by encrypting your keystroke instantly when typed 3. Protect mobile device Mobile Device Security: browsers Encrypted mobile browser, password vault, two-factor authenticator 4. Protect mobile Mobile Keystroke Encryption SDK: applications Enables app developers to embed keystroke encryption in mobile applications. Keylogging Facts • 69% of All Breaches Contained Malware • 98% of Malware Breaches used a Keylogger • AV Software Cannot Stop Zero-Day Viruses Successful Keylogger Breaches Include: Programs installed by the malware record keystrokes and take screen shots of the bank’s computers, so that hackers can learn bank procedures. They also enable hackers to control the banks computers remotely. Mobile Devices & Application Vulnerabilities/Limitations

Mobile Devices Vulnerabilities & Limitations: Mobile Application Vulnerabilities & Limitations • Download Stores Fail to Detect Malware • Mobile Apps Can’t Encrypt Keystrokes • Mobile Keyloggers are Skyrocketing • Mobile Apps are Susceptible to Mobile Keyloggers • Anti-Virus Cannot Scan Mobile Device Kernel • Forced Operating System “Granted” • Operating System “Granted” Permissions Permissions • Data Dictionaries & Keyboard Cache Files • Data Dictionaries & Keyboard Cache Files Mobile Protection:

• Network Remote Access & Online Transactions

• The Desktops from Data Leakage Due to Keyloggers

• Mobile Devices Browsers from Data Leakage Due to Keyloggers

• Mobile Device Applications from Data Leakage Due to Keyloggers Proactive Security – Where 95% of Breaches Occur

InfoSec

• Network Access Control to ensure only trusted, known assets connect to corporate networks

• Agentless Zero-hour malware and phishing attack quarantine ~ prevents crypto-malware and ransomware

Auditing and regulatory reporting

• Vulnerability assessments and patch management

• Compliance reporting and auditing

Breach detection and remediation is too late! Auditing in-depth Vulnerability Assessment and Patch Management Questions?

For more information, visit www.petronellacomputer.com

Direct questions to Craig Petronella at [email protected]

We want to hear from you! Send stories about your cyber-safety experience or suggestions for improving this tutorial or security website to Craig Petronella at [email protected].

References:

FCC’s Cybersecurity Hub at http://www.fcc.gov/cyberforsmallbiz

UC Davis Security Web Site at http://security.ucdavis.edu

Small Business Information Security: The Fundamentals: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf Thank you!

I’ve covered a TON of information here.

Email me with any questions: [email protected]

To Your Success,

Craig Petronella - CEO Petronella Technology Group, Inc. North Carolina's #1 Most Trusted IT Provider

www.PetronellaComputer.com Upcoming Events

Small Practice Social Media Lead Generation – From Claiming Your Space To Patient Engagement – 6/13

HIPAA Compliance for Law Firms – 7/12

Visit ehr20.com/events to learn more FREE OFFER: One-Time Base Line Phishing Test

To Request Your Free Test: Email [email protected] Learn How Vulnerable Your Business Is To Phishing 16 Cybersecurity Tips for Small Businesses

Businesses must use as many security Train ALL employees in security principles layers, tools and tactics to protect 1 with ongoing security awareness training and themselves, their customers, and their test them at least monthly. data. Protect information, computers, and networks. Use Encryption. Run Real- Visit www.petronellacomputer.com for a 2 time Anti-virus, Anti-Spam AND Anti- free consultation and resources on Malware Software. Update as often as cybersecurity awareness for your possible. Schedule deep scans nightly business. at a minimum. Disable Flash & Java.

Use hardware & software firewalls with 3 as many layers as possible. Update as Here are 16 tips to protect your business: often as possible.

Create a mobile device action plan and 4 always use Encrypted Keyboard Software on ALL Devices. PCs, Mac, Smartphones. 16 Cybersecurity Tips for Small Businesses

5 Make backup copies of 8 If you take Credit Cards PCI important business data and Compliance is Required. Scan Your information as often as Site For Vulnerabilities regularly for possible and frequently check security holes and new risks. the data to ensure it’s valid. Completing a Self-Assessment Questionnaire (SAQ) is 50% of the Control physical access to computers PCI requirement 6 and create user accounts for each employee. Be sure to audit/disable old 9 Limit employee access to accounts. data and authority to install software. Protect Passwords. Use Two- Factor Authentication everywhere; 7 If you have a Wi-Fi network for your 10 workplace, make sure it is secure, including, but not limited to Google, encrypted, and hidden. Facebook, Twitter, etc. Consider using Roboform encrypted password management software. 16 Cybersecurity Tips for Small Businesses

Avoid Spyware/Adware. Spyware and adware slow your computer and cause other problems. Use 11 Spybot, CCleaner, Ad-Aware, and MalwareBytes to remove malware, spyware and adware. Carefully read agreements before installing free software. Know the risks of downloading software from unknown Internet sources.

If possible, disable USB ports and input devices on ALL Staff computers. Only allow the minimum necessary 12 for the employee to do their job. Avoid allowing employees to bring in foreign unknown USB sticks as they may be infected with unknown malware and introduce it into the corporate network.

Prevent Identity Theft. Get multi-layered ID Theft for yourself & your entire family; even newborn children! 13 Protect and monitor your identity from every angle, not just your Social Security number, credit cards and bank accounts. Monitor everything connected to you, including your passport, email, phone numbers, driver's license number, medical IDs and more. Get instant updates if any changes occur. Freeze your credit, if possible.

14 Use multi-layered, secure website hosting with regular backups.

Never send sensitive info via email. Think of email as a postcard. Scan email for viruses, malware and phishing scams. 15 Use encryption whenever possible.

Use secure website hosting for your website. Weekly risk assessments. Daily Full Website Backups. 16 Always use sFTP instead of FTP. 7 Risks of Dropbox to Your Corporate Data

• We live in a world where information equals power. With the influx of online file-sharing solutions, distributing information has become easier than ever. As a result, it is now easier for information to fall into the wrong hands intentionally or unintentionally.

• Enterprise file sync-and-share, Terri McClure, Kristine Kao, TechTarget

• Bring-your-own-device (BYOD) policies and an increasingly mobile workforce are putting new pressures on IT and changing the requirements for how workers want (and need) to access corporate data.

• With over 200 million users, Dropbox has become the predominant leader for mobile file access. Unfortunately, what works for family pictures does not work with corporate files. In most cases, Dropbox’s quick to install, easy-to-use, consumer services present unacceptable security, legal and business risk in a business environment.

*All marketing claims refer to Dropbox Basic version 2.6.30 as of April 18, 2014 7 Risks of Dropbox

1. Data Theft - Most of the problems with Dropbox emanate from a lack of oversight. Business owners are not privy to when an instance of Dropbox is installed, and are unable to control which employee devices can or cannot sync with a corporate PC. Use of Dropbox can open the door to company data being synced (without approval) across personal devices. These personal devices, which accompany employees on public transit, at coffee shops, and with friends, exponentially increase the chance of data being stolen or shared with the wrong parties.

2. Data Loss - Petya Ransomware overwrites Master Boot Records (MBRs) and leverages Dropbox

Lacking visibility over the movement of files or file versions across end-points, Dropbox can improperly backup (or not backup at all) files that were modified on an employee device. If an end-point is compromised or lost, this lack of visibility can result in the inability to restore the most current version of a file—or any version, for that matter.

Abel, Robert. "UPDATE: Petya ransomware leverages Dropbox and overwrites hard drives" SC Magazine. March 29, 2016, http://www.scmagazine.com/petya-ransomware-overwrites-mbrs-and-leverages-cloud-services/article/485833/

3. Corrupted Data - In a study by CERN, the European Organization of Nuclear Research, silent data corruption was observed in 1 out of every 1500 files. While many businesses trust their cloud solution providers to make sure that stored data maintains its integrity year after year, most consumer file sync services do not implement data integrity assurance systems to guarantee end-to-end data integrity of the data, guarding against silent data corruption that has been shown to be common in large-scale storage systems.

4. Lawsuits - Dropbox gives carte blanche power to employees over the ability to permanently delete and share files. This can result in the permanent loss of critical business documents as well as the sharing of confidential information that can break privacy agreements in place with clients and third-parties. 7 Risks of Dropbox - Continued

5. Compliance Violations - Many compliance policies require that files be held for a specific duration and only be accessed by certain people; in these cases, it is imperative to employ strict control over how long files are kept and who can access them.

Since Dropbox has loose (or non-existent) file retention and file access controls, businesses that use Dropbox are risking a compliance violation.

6. Loss of Accountability - Without detailed reports and alerts over system- level activity, Dropbox can result in a loss of accountability over changes to user accounts, organizations, passwords, and other entities. If a malicious admin gains access to the system, hundreds of hours of configuration time can be undone if no alerting system is in place to notify other admins of these changes.

7. Loss of file access - Dropbox does not track which users and machines touched a file and at which times. This can be a big problem if you are trying to determine the events leading up to a file creation, modification, or deletion.

Dropbox poses many challenges to businesses that care about control and visibility over company data. Allowing employees to utilize Dropbox can lead to massive data leaks and security breaches.

Many companies have formal policies or discourage employees from using their own accounts. But while blacklisting Dropbox may curtail the security risks in the short term, employees will ultimately find ways to get around company firewalls.

The best way for business to handle this is to deploy a company- approved application that will allow IT to control the data, yet grants employees the access and functionality they feel they need to be productive.