Written by HITRUST Independent Security Journalist Sean Martin.

In their recently published report[1] the Anti-Phishing Working Group saw a sharp increase in detected new unique phishing sites from 48,114 sites in October 2015 to 123,555 in March of 2016. While an increase in spamming, phishing and other online fraud is expected around the holiday season, the fact that phishing sites continued to rise in 2016 outside of the holidays is both notable and concerning. In the report, Carl Leonard, Principal Security Analyst at Forcepoint, is quoted as saying “Ransomware authors are more determined and aggressive in 2016. End-users should be aware of the danger and take preventative measures.”

Given that phishing is such a common, well-known vector for cybercrime—and has been widespread for over a decade—why is it that we still see so many victims falling for these attacks? In 2005, we were warned about fraudulent emails and the dangers of clicking on hyperlinks or opening attached documents[2]. Yet, the same techniques are still causing breaches today, in spite of a decade of new security tools designed to defend against them.

In 2016, health organizations have fallen victim to targeted phishing attacks such as ransomware[3] and tax refund fraud[4] that exploit not the computer system, but the person using it, just as the earliest phishing scams did. While the current version of the HITRUST Common Security Framework[5] makes no specific mention of phishing, it does address these attacks—which are located under Control Reference: 02.e Information Security Awareness, Education and Training—calls for “All employees of the organization and contractors and third party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.” This is good guidance, however, it is left to implementation of the health organization to determine what the appropriate training is and if phishing is something that the information security awareness would cover.

To better prevent phishing attacks from succeeding, it is crucial to understand how the phishers are able to trick the target recipients. As with other types of social engineering attacks[6], the psychology behind it relies on abusing trust, gullibility and a desire to help. When an email looks credible, with an apparent sender that is a known associate, and in a style that seems legitimate, it is easy to be fooled by the pretext of authenticity to the message instead of stopping to verify via a second channel that the request is genuine. While in the routine of our busy day of work, employees at every level within the organization are less likely to think of the risks, and instead rely upon the hope that the technology is saving them from themselves—preventing a harmful email from reaching them in the first place.

Awareness training should highlight procedures to verify identity and authorization for any request for personally identifiable information. Health organizations should make it a part of their culture to treat email as an insecure channel, and that requests for sensitive information not be made via email. Top executives and administrators should set the expectation that the proper procedures to protect private health information are not to be circumvented for any reason. In at least one case, releasing private information without proper authorization led to termination of the employee that caused the breach[7]. Additional compensating controls such as:

• Least privilege user permissions: (Control Reference: 01.a Access Control Policy, 01.b User Registration, 01.c Privilege Management, 01.v Information Access Restriction, and 13.l Minimum Necessary Use)
• Multi-level approvals: (Control Reference: 01.b User Registration)
• Multi-factor authentication for high-risk/high-value transactions: (Control Reference: 01.j User Authentication for External Connections, and 01.q User Identification and Authentication)
• Whitelist software execution: (Control Reference: 01.o Network Routing Control, 09.m Network Controls, and 10.h Control of Operational Software
• Network segregation: (Control Reference: 01.m Segregation in Networks, and 01.o Network Routing Control), and encryption (multiple controls for data-at-rest and in-motion, including Control Reference: 01.v Information Access Restriction, 01.x Mobile Computing and Communications, 01.y Teleworking, 06.d Data Protection and Privacy of Covered Information, 09.o Management of Removable Media, 10.f Policy on the Use of Cryptographic Controls, and 10.g Key Management)

…all help limit the impact that phishing can have if training fails.

As defenders, we face the same challenges that Virgil’s ancient Trojans did: no matter how strong our firewalls, how encrypted our data is, or how hardened our endpoints are, the best defense is our own caution, and the careful judgment that leads us to fear Greeks, even those bearing gifts[8].

1. [1] Phishing Activity Trends Report First Quarter 2016: http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf
2. [2] Rothke, Ben Computer Security: 20 Things Every Employee Should Know: http://dl.acm.org/citation.cfm?id=1214525
3. [3] Zetter, Kim Why Hospitals Are the Perfect Targets for Ransomware: https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/
4. [4] Washburn, Lindy St. Joseph’s Healthcare System Falls Victim to Phishing Scam: http://www.northjersey.com/news/st-joseph-s-healthcare-system-falls-victim-to-phishing-scam-1.1516381
5. [5] HITRUST Common Security Framework 2015 Version 7.0: https://hitrustalliance.net/hitrust-csf/
6. [6] Allsopp, Wil Unauthorized Access: Physical Penetration Testing For IT Security Teams: http://dl.acm.org/citation.cfm?id=1803922
7. [7] Ragan, Steve Alpha Payroll Fires Employee Victimized by W-2 Phishing Scam: http://www.csoonline.com/article/3064675/security/alpha-payroll-fires-employee-victimized-by-w-2-phishing-scam.html
8. [8] Virgil The Aeneid: http://classics.mit.edu/Virgil/aeneid.html