Most cyberattacks are easy to execute

BOSTON--The vast majority (78 percent) of cyberattacks across all industries require low or very low difficulty to execute. “I could teach this room in one day how to do a low difficulty attack,” said Chris Wysopal, chief technology officer of Vericode, speaking at the second annual HIMSS Privacy & Security Forum.

The average cost of an individual breach is $277 but since that is industry wide, Wysopal said the fines, legal expenses and other associated expenses, protected health information (PHI) breaches are going to be higher.

Healthcare providers need to protect against different layers of attacks because there are many ways for problems to get into the system, Wysopal said. “Attacks work because there are a lot of known vulnerabilities. In 2012, about 6,500 known vulnerabilities were disclosed across the entire software industry. With that volume, almost every single organization has many known vulnerabilities at any one time.”

Attackers go after a vulnerability right after it becomes known. There is a window of opportunity before the vulnerability is patched, he said. “The window is constant. There is always a near vulnerability being disclosed publicly.”

Web application attacks are on the rise, he said. “There has been an explosion in writing these apps to automate all kinds of processes. New web apps are coming out every day. There’s been a huge amount of growth.” These have to be built securely but since they typically involved customized code, that opens up the chances of vulnerabilities since almost every web app accesses a database.

Spearphishing attacks is another big category of cyberattack. This involves making an email look like any other message you would receive and then when you click on the link, you go to a site the attacker controls. Your endpoint is now compromised. Wysopal recommended ongoing education about spearphishing. “We send out monthly emails educating about the latest trends.”

Virus technology has a hard time keeping up when brand new malicious code is introduced every few days. “Attackers are faster at developing malicious code than we are at fighting it,” Wysopal said.

Encryption might not be the answer to all the problems either, he said. “The problem is that it can be bypassed because individual users and apps that access the data have to be able to access the data in clear text. The app has to have the ability to decrypt records to present them to the user.”

To protect your organization, Wysopal said you need to inventory all of your assets. “Lots of organizations have amassed technology over time and don’t know where all the hardware is and what software is running on it.” Once you know what you have and where, he said you should understand where your biggest gaps are. “It’s kind of a wake-up call. Prioritize how to raise the bar on those systems. Develop a good incident response plan. Being able to respond quickly makes a huge difference—the attack might only impact a few records instead of all the records.”

Visit owasp.org to keep up to date on the top 10 ways web apps are attacked, Wysopal said. Sequel injection is the No. 1 method but there is information available on how to write a query of a database that is not susceptible.