Hackers started leaking health data after Medibank, Australia’s largest health insurer, refuses to pay ransom demand. The REvil ransomware gang began posting stolen records, including customers’ names, birth dates, passport numbers, and information on medical claims. The attack began after the stolen credentials of someone who had high-level access to the organization were sold on a Russian-language cybercrime forum.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Cybersecurity compliance will evolve to add automated continuous security control validation to an existing list of compliance mandates.
Historically compliance standards have been focused on getting organizations to build capability in their security programs, with an emphasis on achieving checklist implementation of defensive security controls.
The reality is that enterprises are at war, and they need to test their capabilities in real-world environments, not just on paper. In late 2022 we began to see a shift, with CISA recommending for the first time in September that companies adopt automated continuous testing of security controls, in production, to protect against longstanding threats. The authoring agencies recommend exercising, testing and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework.
This is only the beginning. In 2023, we will see organizations shift from a reactive mindset to a proactive one in order to better prevent and remediate cyberattacks. Security operations teams will do this by turning to tools that leverage automated, continuous real-time testing to help them better manage risk and ensure less impactful security events with greater effectiveness.
The CISO role will evolve from a primarily technical function to include a greater focus on measurable security outcomes and security program effectiveness.
A CISOs primary responsibility is protecting the business. This must be measured, benchmarked and aligned to the needs of the organization based on the risk profiles of the business. It has nothing to do with technology. It is about looking at each information security function and the level of protection it delivers to business.
Historically, CISOs were technical individuals that got promoted into management positions. In the year ahead amid a tighter financial period, we will see the strategic clarity of security’s function within the organization matter more than technology decisions. This will cause CISOs to shift their thinking to measuring security program performance as a result of increased pressure to create real security outcomes that matter to and are understandable by the business.
Confirmation that Russian-based threat actors are behind the Medibank data breach can be no surprise. As the last few months and years have shown, the cybercrime gangs that are most active and successful are often found to have members base in or with ties to Russia and other nations looking for opportunities to target governments and enterprises in the West.
The fact that Medibank holds information on high-profile customers, including the Australian prime minister, once again shows that the risk of attack and breach remains high despite the tools and solutions enterprises deploy. Sadly, the exposure of personally identifiable information like names, birthdays and email addresses will also expose users to the risk of identity theft, phishing, and other social engineering tactics for a long time to come.
This threat is not going away anytime soon. Today should be another reminder that businesses who can no longer avoid taking steps to harden and protect systems that collect and store user information. Rather than being tempted to rely on new shiny technology that workers do not cannot use effectively, most organizations and IT teams will benefit from working with outside experts to help test and improve the overall security posture of the business.
The Medibank breach has taken Australia by storm, so it is not surprising the government is analysing how to handle cyber incidents moving forward, but isolated knee-jerk responses will only make the problem worse.
Banning ransomware payments would be a move to make attacks on Australian organisations less attractive to cybercriminals, but it won’t stop them entirely. Attacks will still occur and in these situations companies would have absolutely no chance of recovery, which will potentially cost more than a ransom demand.
Furthermore, making ransomware payments illegal in one jurisdiction could push the payment of ransomware underground, which will hide these crimes and make coordinated responses with law enforcement difficult, or it could even force companies to use third parties in other jurisdictions to make payments on their behalf, which will not solve the problem.
Consideration must be made for what the criminals would do in response, not just how to punish the victims who are trying to recover from a devastating attack. Countries, cybersecurity experts, ISPs, and cyber insurers need to work on a collective approach to tackle this global and wide-ranging issue.
A better focus for the Australian government just now could be on equipping organisations with better defences against ransomware. This would include raising awareness around cybercrime techniques and introducing legislation on minimum cybersecurity requirements for businesses.
Stolen credentials have recently been leveraged by attackers to wreak havoc against larger organizations. In this case, the company was faced with the difficult decision of either subduing to the threat actors and paying the ransom or losing the trust of customers by placing their sensitive health data at risk. It is in these types of cases that a layered defense approach becomes paramount.
Among the strategies organizations need to follow to mitigate damage from a breach is building strong identity-based access control. It protects sensitive information by instilling stronger authentication requirements. Coupled with continuous authorization, this strategy makes it significantly more difficult for an attacker to gain access. Considering the number of users and applications within the healthcare industry, cyber-attacks will only continue to evolve. Providers will have to evolve at the same pace and prioritize the need for improved security systems that also provide seamless control.