There have been dozens of arrests in connection with a Zeus Botnet believed to be involved in the theft of over $200 million, in some reports.
These arrests and the possible dismantling of a cybercrime
network are encouraging and should be counted as a win. And they are. However, the Zeus threat has not been erased. A Zeus development kit is sold on underground forums with a graphical, user-friendly interface which reduces the technical “know-how” required to create a new Zeus Trojan.
Zeus, and variants of it, will likely be around for a while. What risks, if any, does malware present to a medical facility and from where? Here are a couple of areas that are sometimes overlooked when reviewing malware mitigation.
VPN Users. When users connect through a VPN, they become part of that network and they have access to resources…and so does their malware. A hospital should examine their policies, procedures and the controls put in place to govern VPN user access. For example, the VPN procedures should stipulate the minimum requirements a home PC / laptop must meet before access is granted. At a minimum, this should include AV with current definitions. In addition to written procedures, technical safeguards can be put in place to limit exposure, such as the use of a NAC to quarantine, scan and approve the system before it is granted access to network resources.
Vendor Owned Equipment. With strict guidelines placed on medical equipment in departments like Radiology and Pharmacy it’s difficult, if not impossible, to keep these systems updated with AV and security patches. At times, changes to the systems must follow the change control procedures of an outside vendor or even the FDA. However, malware can spread like wildfire on these systems and loss of availability could lead to ER departments going into diversion. Of course, written policy and procedure play a part here, too. Employees should not be permitted to use these systems for normal business use (email, web browsing, etc.). As for controls, if possible, we like to see these systems in a separate VLAN limiting the communication between these systems and rest of the network.
For many of us, this is a security common sense review. But we cannot become complacent when we begin to see that large botnets are being destroyed. Malware is more like fighing the Hydra…cut off one head and 3 more grow back.
-dsw
