Which could be the consequences of a social engineering attack?

Details

Category: Social Engineering

Published: Tuesday, 16 February 2016 21:25

Written by Enrico Frumento, CEFRIEL

Recently the news reported this attack, which apparently is associated to a ransomware problem for an Hospital.

Hollywood hospital’s systems held hostage by hackers

The Hollywood Presbyterian Medical Center, an “acute-care facility” located in Los Angeles, has had its computer systems compromised by hackers. The attackers are asking for 9,000 Bitcoin (approximately $3.6 million) in exchange for giving the hospital access to the systems again. The apparent problem is that part if not all the Hospital Information Service (HIS) was compromised by a ransomware.

Despite the apparent novelty of the news, it is not an isolated trend because, as also reported HERE, recently an email attachment caused an infection at a German hospital in Neuss, and patient records were encrypted and not accessible. According to the German RP Online, many more hospitals in that area were infected with ransomware. Apparently six hospitals were infected, despite only the one in Neuss announced the fact publicly.

According to the report mentioned above, it is highly likely that these infections were caused by employees that were social engineered and did not get effective security awareness training.

The problem is that the ransomware is not actually the problem, but rather a consequence. The real problem is something happened before. The training of the operators was far from being effective and employees were not taught to correctly recognize the threat. As Trojans the ransomware are not able to infect systems automatically, without the intervention of an user (who click on an hook). This is just a last example of a general trend: how an underestimated threat like Social Engineering can seriously harm or completely stop a business or a service. The healthcare is a perfect sample because for example, surgeries in the infected hospitals were postponed because of this ransomware infection.

The problem is anyway that it is reasonably foreseeable that these are just the early samples because the next step may be to enable cyber-terrorism scenarios where attackers are not interested in money or ransoms but rather interested to disrupt a vital service such an hospital.

It must be said that Hospitals are more vulnerable than other sectors to social engineering for several reasons, like well explained by THIS blog. However, hospitals, like any other public body, are what could be defined a "soft target" by the Social Engineering point of view. For several years, the security solutions of these bodies has been almost totally committed to the technological area (e.g. firewalls, anti-virus, ISO/OSI best practices, intrusion detection systems, etc), but these latest trends shows that it is not enough.

The underlying problem is that the public bodies are really complex human organizations, in terms of hetereogeneous competences and roles. Raising the security awareness uniformly is not an easy task at all, because most of the professionals do not want to deal with ICT security or are not trained beyond the sectorial strictly needed understanding of computer systems.

This situation facilitates these types of attacks, because a ransomware belongs to the ad-hoc type of malware which is hardly recognizable by current anti-virus systems.

What DOGANA proposes is a method to assess and then mitigate this type of risks. DOGANA toolset will legally and coherently test the employees, simulating the modern social engineering twisted attacks, and will give hints on which awareness methods are working better than others.

The whole story with the US Hospital ends with a total winning of the cyber criminals, which sounds as an invite to further insist in the ransomware and social engineering attacks. The Hollywood Presbyterian Medical Center in Los Angeles has decided to pay a ransom of 17.000$ to recover their files.

by Enrico Frumento (CEFRIEL)