Once again it has been shown how easy it is for hackers to breeze through organizations outer protection. “But there is an easy way to defuse the malicious code,” says security expert Fredrik Åhgren.
Swedish television’s news program TV4 Nyheterna has revealed insufficient IT security at Swedish government agencies and hospitals. A reporter with a hidden camera went to several receptions and asked to have a document printed from a USB stick – one of the classic tricks hackers use to try to get malicious code into a system.
The reception staff at three of nine tested governments put the USB stick into the computer in the reception, and at the three big hospitals tested all staff agreed to put in the USB stick.
“The hospitals and government agencies see this as a serious problem, because they know that if there had been malicious code on the USB stick, it could have traveled from the computers in the receptions to other systems in the organization,” says Fredrik Åhgren, security expert at identity and security company Nexus Group.
If malicious code enters the systems handling patient journals, then sensitive information can be locked down or stolen by the hackers – and if the malicious code enters a heart-lung machine or a gamma knife, the outcome can be deadly, according to Fredrik Åhgren.
“A few years ago, so called ransomware infected a big hospital in the US, locking down their patient journals. The hackers then demanded a huge sum of money to unlock the information again. It is all too easy to imagine terrorists infecting a hospital with malicious code to kill people, instead of setting off a bomb,” says Fredrik Åhgren.
There are various ways to try to safeguard against hacker intrusions. Until recently the most widely used approach was to build a virtual wall around the organization’s IT systems, according to Fredrik Åhgren.
“This kind of wall could, for example, consist of a firewall and a policy that, among other things, state that no unknown USB sticks are allowed to be put into the organization’s computers. However, most have realized that you cannot protect yourself against infringements in this way – it is always possible for hackers to find a way to get in and you have to expect that.”
Nowadays there is a lot of talk about focusing on identifying the malicious code once it has broken into the systems and then taking action on it, an approach called detect and respond.
“However, this is not a silver bullet, as some seem to think. You cannot find all malware, since you do not know what you are looking for. A large proportion of all organizations are probably already hacked without knowing it. Most hackers are not out to kill, destroy or blackmail – they just want to steal your business secrets in silence, without you noticing.”
However, there is a way to protect your organization against intrusions which is virtually waterproof, according to Fredrik Åhgren.
“By creating a list of applications that are approved to run in the system it becomes impossible for malware to execute. You can insert as many USB sticks with malware as you like, and even print out the documents on the USB sticks, but the malware will not run in the system because it is not on the list of approved programs.”
This method is called whitelisting, and is the opposite of the antivirus programs’ blacklisting of malicious code.
“Antivirus software has a long list of blacklisted applications that may not run, and this list is constantly updated. But it can of course never be complete, and if a hacker uses completely new code to hack you, no antivirus software in the world can protect you. It is strange that people still buy antivirus software.”
There are no figures on how many organizations use whitelisting today, but according to Fredrik Åhgren one thing is clear: the method is underutilized.
“In principle, you could whitelist all digital systems, and in the future this might be done. But before this becomes practical, an infrastructure has to be constructed, where trusted whitelists can be shared between organizations in a smooth manner. However, 15–20 % of all systems should be whitelisted directly, today.”
The systems that Fredrik Åhgren believes should be immediately whitelisted are critical systems with specific functions, such as a PC in a hospital reception, a server with medical records, or a dialysis machine.
“In these kinds of systems you do not need to regularly add lots of software or Excel macros, so I quite honestly do not understand why whitelisting is such an underutilized method. It may be that there are misconceptions about it being complicated or expensive.”
Fredrik Åhgren believes that whitelisting will soon become more widespread, as the internet of things is spreading more and more.
“Car manufacturers will realize that it is bad PR if their cars get hacked and run off the road or into a crowd. Both consumers and organizations will begin to demand intrusion protection in their online refrigerators, cameras, lawn mowers and industrial robots. I just hope that this will be done before and not after we see really serious incidents,” says Fredrik Åhgren.