Cybercriminals are exploiting trust in FTP servers to distribute malware. MedEvolve is just one organization who recently fell victim to this tactic, exposing 205,000 patient records.
The FBI issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers operating in anonymous mode, allowing anonymous access without submitting a username or password. Criminals are targeting data stored on servers located within medical and dental facilities to gain access to ePHI and personally identifiable information (PII). These threats pose serious risks to healthcare organizations, including the violation of HIPAA regulations. Beyond data theft, cyberattacks can cause serious damage to computer systems and cost millions of dollars in damages to intellectual property.
The FBI warning comes after years of escalating threats and attacks on healthcare organizations. Shortly after the FBI warning, 200,000 computers in 150 countries were compromised in the “WannaCry” ransomware attacks. Healthcare was a sector that was particularly hard hit. Britain’s National Health Service (NHS) even had to cancel some surgeries and turn away patients due to the attack. More recently, a practice management software vendor based out of Arkansas, MedEvolve, misconfigured their FTP server—allowing users to log in without credentials (anonymous authentication)—and exposed sensitive patient data. As you can see, no business is too large or small to be exempt from FTP cyberattacks.
“MedEvolve’s leak is not unique to the vendor, as misconfigured databases continue to plague the healthcare sector. Gartner estimates that about 70 to 99% of these cases are caused by internal misconfiguration and stressed the issue could be mitigated by better internal policies of the organization’s IT infrastructure,” says Jessica Davis of Healthcare IT news.
Types of FTP Server Exploits You Should Know About
FTP is one of the oldest and most reliable methods of sharing data and is still frequently used today. However, FTP lacks many of the crucial security controls that are necessary in our current security landscape. Knowing how FTPs are exploited is the first step to understanding what’s necessary to mitigate these issues:
- Anonymous authentication: Gives users access to public areas of your FTP site without the need for a username and password.
- Directory traversal attack: Form of HTTP exploit in which the criminal uses software on a web server to access data in a directory other than the root directory. If successful, hackers can execute commands on the server and view unauthorized files.
- Cross-site scripting (XSS): Allows attackers to inject client-side scripts into web pages that outsiders can view. The end user’s browser has no way to know that the script should not be trusted, and therefore, executes the script. Hackers can access cookies and session tokens stored by the browser, and use that information to access
- Dridex-based malware attack: The malware is usually distributed through phishing tactics, and once the computer system is infected, credentials can be stolen through web injections. Unfortunately, Dridex has made a resurgence in the U.S. in the last few years, with a focus on access financial data.
“‘The most noticeable observation in the current [Dridex] web injects is that most of them are accompanied by activating the VNC [virtual network computing] functionality, which enables the fraudsters to remotely connect to their victim during the credentials theft.’ Dridex uses VNC functionality to remotely connect to infected PCs to initiate fraudulent online payments and bank account transactions,” according to cybersecurity firm F5.
Given the gravity of data security risks, how can healthcare and financial services businesses prevent FTP cyberattacks and similar threats? Let’s look at what you need to know to protect your company.
How Do You Mitigate FTP Server Cyberattacks?
Start with Compliance
If you’re in healthcare, you should begin by familiarizing yourself with the controls required to comply with HIPAA regulations, and ensure your environment has at least this minimum level of data security. HIPAA compliant hosting can be a useful tool to help mitigate threats to ePHI, and can also simplify management of your company’s IT infrastructure.
After you’ve explored and implemented HIPAA compliance solutions, the next step is to implement best practices in information security. HIPAA’s ePHI rule has not been updated since it was added in 2003, which means that meeting the minimum standard for security is unlikely to provide sufficient defense against threats in 2018. For example, HIPAA outlines controls that are required, while others are addressable, and encryption is one of these addressable controls. “When in doubt, encrypt everything,” says Paul Cassarino of Thales, a leading security company, and at OnRamp, we agree that you can never be too careful when it comes to data protection.
Similarly, organizations in financial services must comply with PCI-DSS regulations that state how they should protect their customers’ sensitive data. Work with vendors and partners to reach compliance collaboratively, and be sure to choose providers that are PCI certified so you know your security methods are aligned. Unlike HIPAA, PCI is certifiable, so organizations can audit and validate the controls they have in place.
Don’t Underestimate the Importance of Policies and Procedures
You should upgrade your institutional knowledge by staying on top of changes to regulations and learning about best practices in information security to develop a complete risk management strategy. Keep in mind the human factor is just as important as technology in preventing cyberattacks, and everyone at your company must be aware of policies and procedures, not just the IT staff. Once you’ve identified and documented the policies that are necessary to prevent FTP attacks, be sure to include this in your mandatory company security training.
Stop File Transfer Protocol Cyberattacks
Research from the University of Michigan found that, in 2015, over one million servers were configured to allow anonymous access. Some anonymous access is made by legitimate researchers; however, hackers also seek out these type of FTP connections either to steal data or to use compromised systems to launch cyberattacks. All organizations should review their server settings and update any configured systems that allow anonymous access. You can also implement enterprise-level file sharing services if your company is using insecure consumer-grade options.
Use Multiple Levels of Malware Protection
Prevent malicious software and unauthorized access to your network through a layered security approach. We already mentioned the importance of encryption. You’ll also want to implement a robust network firewall that can permit or deny traffic based on specific rules you set up. OnRamp’s next gen Palo Alto firewalls, for instance, offer antivirus protection and alerts for traffic reaching sensitive data. Vulnerability scanning, intrusion detection, and log management can all help prevent and contain FTP attacks.
Don’t Ignore the Warning Signs
It’s easy to overlook the constant stream of alerts, patches, and logs that are a part of your daily operations. It requires oversight and constant diligence to truly monitor your network and watch for potential threats. Working with a partner who specializes in cybersecurity can maximize your investment, reduce false positives, and free up time for you to focus on your core business functions. You might also be tempted to save money by not investing in data protection at all. However, losing data, time, money, and customer trust if when you are attacked will likely have a much larger impact on your bottom line … and not in a good way.
If you’re unsure where to begin when it comes to developing a comprehensive risk management plan that protects against FTP server cyberattacks, we recommend asking about our professional security services and our managed security services—i.e. encryption, vulnerability scanning, log management, and malware protection. We begin with a free 2-hour discovery call to understand your goals and develop a roadmap for improving your security posture. Contact us today to get started.
Additional Resources on This Topic:
FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks
Healthcare Industry Can Go Beyond Compliance to Achieve Better Security
Stop. What You Need to Know About the Worldwide Ransomware Crisis