Infrastructure Hygiene: Why It’s Critical for Protection

Posted under: Research and Analysis

After many decades as security professionals, it is depressing to have the same issues repeatedly. It’s kind of like we’re stuck in this hacker groundhog day. Get up, clean up after stupid users, handle a new attack, fill out compliance report, and then do it all over again. Of course, we all live in an asymmetrical world when it comes to security. The attackers only have to be right once, and they are in your environment. The defenders only have to be wrong once, and the attackers also gain a foothold. It’s not fair, but then again, no one said life was fair.

The most basic advice we give to anyone building a security program is to make sure you do the fundamentals well. You remember security fundamentals, right? Visibility for every asset. Maintain a strong security configuration and posture for those assets. Patch those devices efficiently and effectively when the vendor issues an update. Most practitioners nod their head about the fundamentals and then spend all day figuring out how the latest malware off the adversary assembly line works — or burning a couple of days threat hunting in their environment. You know, the fun stuff. The fundamentals are just… boring.

The fact is, the fundamentals work, not for every attack but a lot of them. So we’re going to provide a reminder of that in this series we are calling Infrastructure Hygiene: The First Line of Security. We can’t eliminate all of the risks, but shame on us if we aren’t making it harder for the adversaries to gain a foothold in your environment. It’s about closing the paths of least resistance and making the adversaries work to compromise your environment.

We want to thank our pals at Oracle for potentially licensing the paper. We appreciate a company that is willing to remind its folks about the importance of blocking and tackling instead of just focusing on the latest, shiniest widget.

Defining Infrastructure

Let’s start the discussion with a fundamental question. Why focus on infrastructure? Aren’t apps attacked as well? Of course, adversaries attack applications, and in no way, shape or form are we saying that application security isn’t critical. But you have to start somewhere, and we favor starting with the foundation, which means your infrastructure.

Your tech stack’s main components are networks, servers, databases, load balancers, switches, storage arrays, etc. We’re not going to focus on protecting devices, applications, or identity, but those are important as well.

We’d be remiss not to highlight that what is considered infrastructure will change as more of your environments move to the cloud and PaaS. If you’ve gone to immutable infrastructure, your servers are snippets of code deployed into a cloud environment through a deployment pipeline. If you are using a PaaS service, your service provider runs the database, and your maintenance requirements are different.

That’s one of the huge advantages of moving to the cloud and PaaS. It allows you to abuse the shared responsibility model, which means that you contract with the provider to handle some of the fundamentals, like keeping up with the latest versions of the software and ensuring availability. Notice we said some of the fundamentals, but not all. Ultimately you are on the hook to make sure the fundamentals happen well. That’s the difference between accountability and responsibility. The provider may be responsible for keeping a database up to date, but you are accountable to your management and board if it doesn’t happen.

Many Bad Days

As we go through the lists of thousands of breaches over the years, quite a few resulted from misconfigurations or not fixing known vulnerabilities. We can go back into the Wayback Machine to see a few examples of the bad things that happen when you screw up the fundamentals.

Let’s dig into three specific breaches here because you’ll get a good flavor of the downside of failing at infrastructure hygiene.

  • Equifax: This company left Internet-facing devices vulnerable to the Apache Struts attack unpatched, allowing remote code execution on these devices. The patch was available from Apache but didn’t apply it to all the systems. Even worse, their Ops team checked for unpatched systems and didn’t find any, even though there were clearly vulnerable devices. It was a definite hygiene fail, resulting in hundreds of millions of user identities stolen. Equifax ended up paying hundreds of millions of dollars to settle their liability. That’s a pretty lousy day.

  • Citrix: When a major technology component is updated, you should apply the patch. It’s not like the attackers don’t reverse engineer the patch to determine the vulnerabilities. This situation was particularly problematic in the event of a Citrix hack early 2020 because the attackers could do automated searches and find vulnerable devices. And the attackers did. Even more instructive were the initial mitigations suggested by Citrix instead of a patch weren’t reliable nor implemented widely within their customer base, leaving many organizations exposed. At the same time, widely distributed exploit code made it easy to exploit the vulnerability. Once Citrix did issue the patches, customers quickly adopted the patches and largely shut down the attack. Patching works, but only if you do it.

  • Target: The last example we’ll use is the famous Target breach from 2013. It’s an oldie but highlights the challenge extends beyond your infrastructure. If you recall, Target was compromised through an unpatched 3rd party vendor system, allowing the attackers to access their systems. It’s not enough to get your hygiene in order. You also need to scrutinize the hygiene of any external organization (or contractor) that has access to your network or systems. Target paid tens of millions of dollars to settle the claims and dealt with significant brand damage.

We don’t like poking at companies that have suffered breaches, but it’s essential to learn from these situations. And if anything, infrastructure hygiene is getting more complicated. The SolarWinds attack from late 2020 was an example where even doing the right thing and patching the tool ended up providing an entry to attackers. If you looked at that situation in a bubble, you might have asked, “why bother patching?”

That question indicates you learned the wrong lesson. Go back up a few paragraphs where it says, “you can’t eliminate every risk.” Supply chain attacks will happen, and candidly there isn’t much you can do about them besides focusing on detection and monitoring. But not patching a component opens you up to anyone with the exploit. Patching may expose you to a sophisticated supply chain attack only available to a handful of adversaries (typically nation-states). We play the odds and patch to make it difficult for them.

Not an Option

After all the proof of downside above, let’s say you are still resistant to practicing good infrastructure hygiene. Don’t take it from us; listen to your auditor because they will find (and report) all sorts of deficiencies if you can’t keep things configured strongly and patched. Let’s highlight a few regulatory mandates that require patching.

  • PCI: Requirements 2, 6 and 11 mention patching.
  • ISO 27001: Control A.12.6.1 deals with remediating vulnerabilities (which means patching).
  • NIST SP 800-53 R3: The Configuration Management (CM), Risk Assessment (RA), and System and Information Integrity (SI) highlight the need to patch the infrastructure.

So you don’t have an option, do you?

Are you sold yet? Good. But if it were easy, everyone would do it and do it well. Maintaining strong infrastructure hygiene isn’t easy, so in the next post, we’ll dig into the how of infrastructure hygiene and help you build a consistent program to ensure you get it all done.

– Mike Rothman
(0) Comments
Subscribe to our daily email digest

6 ways to prevent cybersecurity burnout

We’re in the midst of a cybersecurity staffing crisis. Many major news outlets, such as The New York Times, have reported that unfilled jobs in the industry are expected to reach up to 3.5 million this year — leaving existing security teams stretched thin and burnt out.

To make matters worse, attackers have increased their activity since the beginning of the pandemic and continue to take advantage of the prolonged crisis. In this new year, CISOs everywhere will need to shift their talent management practices in order to attract new candidates to the field and prevent employee burnout. How? Here are a few ideas.

1. Invest in training for new employees

Today’s college graduates in the technology or cybersecurity fields, or even those with one to two years of experience, have a definite thirst for knowledge. Our organization, for example, has found that investing in feeding that knowledge pays dividends. Each year, we take new cybersecurity talent through a six-month continuous improvement and training program that consists of internal and external educational courses, technical labs, shadowing programs and cross training. In the long run, organizations benefit from investing in their people.

2. Match people to the job, set goals and mentor

Understanding what encourages your individual team members to perform their best work is key to keeping them motivated. I’ve learned from personal experience that people don’t tend to burn out if they have work they consider interesting and genuinely enjoy. For example, people who work as security professionals are generally more curious. They are naturally more driven than some professionals. And they are clever — they love challenges as opposed to performing process-heavy tasks. On the opposite end of the spectrum are QA testers. They tend to like to follow directions and prefer lists of test cases that they can execute down to the smallest detail. And to be sure, it is good to have both types of personalities on your teams.

To help all personality types avoid burnout, you need to make sure that you’re giving them tasks that match their interests. You also need to invest in your team’s growth and help each individual understand how they can enhance their skill set — whether it’s digging deeper into one specific area of security or increasing the breadth of areas they can expose themselves to. You can do this with goal setting and building career plans for each person on your team.

Having a formal mentorship program is another effective talent management approach. One of the challenges some cybersecurity professionals face is that they don’t always have the most extroverted personalities and may struggle to build professional relationships outside of their work teams. From my experience, I’ve found that co-workers become friends outside of work, so whenever I needed a sounding board or independent advice about a career issue, I was hesitant to confide in my co-worker friends for fear of possible negative repercussions. Having a formal mentor outside of your work circle for guidance and perspective can be invaluable.

3. View your project managers through a new lens

Project management duties in cybersecurity will never go away — they are a critical component to ensuring smooth workflows as well as efficient and effective client communications. However, project management is not a desired career path for most people who enter the industry. They don’t want to be organizing meetings or writing status reports in a certain format. They want to be breaking things (ethically, that is). As a leader in your organization, you need to maximize their utility to perform high-value technical work, not only project management, if your goal is to prevent burnout.

You can offset your team’s technical excellence by hiring a people person who’s well organized and can take care of the administrative overhead that goes along with doing security work. But don’t stop there. An effective cybersecurity project manager should be more than a task coordinator and client liaison. To be truly successful, project managers today also need some technical knowledge. They don’t need the skills to perform the work, but they need to understand what the work is so they communicate effectively with the client or CISOs. They are essential in understanding and communicating the impact on budgets and timelines when the security teams uncover major vulnerabilities.

My colleague, who manages a team of project managers, recently wrote that an ideal project manager is one who has passion for the job and puts the client first. Critically, the project manager may be in a situation where issues management skills are needed to analyze a particular client circumstance and provide workable solutions on how to move a project forward. The project manager should be the anchor of the vulnerability management program, who advocates for the client at every turn.

Historically, project managers have been very task oriented. They had a project plan, checked in with a team, assigned tasks and checked back periodically to see the status of those tasks. That style of project management is waning, and we now see project managers stepping into a leadership role. They’re leading the entire team, in addition to leading clients toward the best course of success. This leadership will both create excitement around the project management role and alleviate security teams from managing the client relationship, ultimately preventing burnout for both.

4. Be careful with incentives

Incentives, such as bonuses or gift cards, have long been a standard method to entice employees to do what management wants. However, they can backfire. If you’re creating incentives for your security teams to work more because you’re short on staff, you also must have a way to track that the amount of work they’re doing to earn those perks isn’t burning them out. Partner with your human resources department to establish metrics to guide you in determining whether an employee is at risk of burning out, as well as action steps to correct the situation. Work with each staff person on a case-by-case basis when red flags are triggered.

5. Enable automation

Automation is critical to removing workflows or steps that are repetitive, redundant or that don’t necessarily need a human to perform them. It’s a smart way to free up your cybersecurity team’s time for more rewarding work.

Automation has grown significantly as a critical tool to help prevent burnout from a security professional perspective. Back when I was consulting, doing hands-on-keyboard ethical hacking and assessments, I had to write my final reports from scratch. There were no templates for predefined vulnerabilities. Today, certain vulnerability standards and established techniques to prevent them are readily available and should be catalogued for use in reporting.

Automation also comes in the form of platforms that free up assessors from the manual labor of certain tasks. For example, if I’m performing a penetration test on a web application, there are three or four other applications I need to run as part of the workflow. Automation platforms can run those on my behalf so I don’t have to worry about configuring the tools I’m using. These automation platforms can also compile the results from all four tools and de-duplicate them so I don’t have to do that manually on a spreadsheet. Another great feature of automation platforms: They can create reports based on client requirements and notify the client in real time. No more manually writing emails to the client about critical findings or to send a final report.

6. Encourage more people to enter cybersecurity

I’ve noticed that there’s significant stigma shrouding the cybersecurity industry. Many potential candidates worry that they need to be a super-human tech expert or nerd. Mass media plays into that stereotype.

As industry professionals, we need to spread the word that people from all walks of life can potentially find success in cybersecurity. In fact, another of my colleagues astutely wrote that there are a number of personal attributes that can come together to make a person great in this profession. Someone who is a self-starter or is ambitious oftentimes makes a great team member.

Two traits that are more difficult to recognize at first are memory recall and curiosity. Individuals who have memory recall, who can understand patterns and relationships, usually gain an advantage when it comes to thinking like an attacker and recognizing familiar trends, while working as part of a client consulting team. And the highly curious person often has an innate drive to pick things apart — skills that are fundamental to success when the technology landscape becomes more complex by the day and emerging technologies continue to open new doors to hackers. Technology vulnerabilities are there — and a curious person is more apt to find exposures so remediation can commence.

Industry needs to work to prevent burnout

I may be biased, but I think cybersecurity professionals have the best job in the world. It is, however, more important than ever that organizations prevent the all-too-real risk of burning them out. Fortunately, that’s not only possible — it’s highly doable. Consider how to implement the above six methods to help close the industry’s staffing crisis.

About the author
Nabil Hannan is a managing director at NetSPI. He leads the company’s consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Nabil has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pentesting, secure code review and vulnerability remediation, among others.

3 SASE case studies exploring real-world deployments

Secure Access Service Edge, or SASE, sparked immediate interest when Gartner introduced the concept in 2019. The COVID-19 pandemic fallout then pushed the cloud architecture model to the top of countless networking and security project lists, due to its ability to securely connect geographically dispersed workforces.

“We didn’t realize just how big of a benefit [SASE] would be. It’s been our saving grace for the past 12 months,” said Bill Wiser, vice president of IT at third-party call center provider Focus Services. “We now have 500 remote users [on a SASE service], which we just never would have been able to do with our internal equipment.”

SASE secures and manages distributed access by bundling diverse network and security functions into a single software stack. Gartner has predicted that by 2024, at least 40% of enterprises will have explicit plans for adoption. The following SASE case studies outline the benefits organizations have seen from their deployments.

Early SASE adoption

Company: Akamai Technologies

Industry: Content delivery network, cybersecurity and cloud services provider

Size: 7,700+ employees across 50+ offices worldwide

SASE vendor: Internal project

Patrick SullivanPatrick Sullivan

In 2012, Akamai Technologies began to move customer-facing security functions to the edge as a response to the advent of cloud computing and the proliferation of distributed denial-of-service attacks, according to CTO Patrick Sullivan. This migration, which happened seven years before Gartner popularized the term SASE, would lay the groundwork for the company’s eventual internal SASE implementation.

“We didn’t use the vernacular of SASE, but the core tenets were there,” Sullivan said.

In contrast to the traditional network security model in which discrete security devices sit separately in a centralized data center, Sullivan said SASE features “a single security stack running at the edge with applications that feed off each other and answer a bunch of different questions.” For instance, SASE can assess if a request is valid or malicious; the author is a human being or a bot; there are indicators of fraud; or the entity has bombarded other customers on the platform with suspicious requests.

We didn’t realize just how big of a benefit [SASE] would be. It’s been our saving grace.
Bill WiserVice president of IT, Focus Services

Within several years, Akamai also started to embrace a SASE model for its internal-facing applications. “Corporate end users started to look more like the end users visiting a public website,” Sullivan said. “They’re not all clustered in the corporate office. They’re working from home, in airports, on planes, so it made a lot of sense to shift that security inspection to the edge.”

Before SASE, the Akamai network’s paths were circuitous and convoluted. For instance, it would route traffic from Sullivan’s home office in Virginia to the security stack at the Massachusetts headquarters, before sending it back down to a cloud data center that Sullivan said he can practically see from his house.

“That was extremely inefficient and costly, a horrible user experience and a bad security model, in that we were establishing trust at the network layer,” Sullivan said. “Fast-forward to SASE, and if I want to access a Jenkins instance that’s hosted in one of the local cloud facilities, I just hit one of the dozens of edge nodes in my area. All of that security takes place on a per-request basis in an integrated stack.”

The SASE model also enables secure, zero-trust network access for everyone from Akamai’s third-party contractors to employees at newly acquired companies. Over the past two to three years, Akamai has gradually phased out its VPN, use case by use case and user community by user community, according to Sullivan.

“We certainly didn’t anticipate the pandemic, and it, of course, has had major impacts on our workforce. But, from an IT perspective, it was sort of a nonevent because we’d already externalized the users and implemented these efficient, safe traffic flows,” he said.

While security is often at odds with UX, Sullivan believes that SASE has the unusual distinction of improving both: “What’s great about SASE is you don’t have that tension. Everybody’s aligned.”

Unexpected SASE benefits

Company: Focus Services

Industry: Third-party call centers

Size: Nine call centers in North America, two in Central America and one in the Philippines

SASE vendor: Cato Networks

As a third-party call center provider with locations around the world, Focus Services relies heavily on its global WAN. Several years ago, in the midst of several new international site rollouts, the company’s IT team started thinking about how to use software-defined WAN (SD-WAN) to support a more efficient, affordable and secure expansion.

Bill WiserBill Wiser

“As we saw the technology continue to develop and get better and the pricing came down, we became more and more interested,” Focus’ Wiser said.

With a single, companywide active directory, massive amounts of mission-critical voice traffic and heavy reliance on cloud-based automatic call distribution (ACD) services, Wiser and his team ultimately decided they needed better network redundancy. And, with its modest price point compared to MPLS, SD-WAN fit the bill. Initially, Focus subscribed to an SD-WAN platform resold and managed by CenturyLink. Wiser declined to name the original manufacturer and product names but described the offering as “mainstream.”

“We tested that within our centers for about six months,” he said. “It was a new offering for CenturyLink, so we learned together. It was fairly painful.”

The SD-WAN service didn’t do all Focus needed it to. The intelligent routing software succeeded in monitoring dual connections and dynamically assigning high-priority traffic to the stronger of the two. But the technology’s ability to duplicate traffic across both connections — critical for Focus Services’ VoIP use case — was limited, according to Wiser.

“Even the slightest bump in a connection, any latency or jitter, impacts voice,” he said. “If one provider [link] went down and then the other took over, you still lost all your voice traffic.”

Focus ultimately abandoned its initial foray into SD-WAN. In 2018, a different technology service provider suggested the company try Cato Networks’ offering, which Wiser’s team ended up deploying across all U.S. locations over a three-month period.

“Two of our core centers were a little more difficult because we had multiple firewalls and different scenarios to overcome,” Wiser said. “But, in the majority of our centers, it was very simple — unplug out of one location, put a switch in between and plug two connections back in.”

Focus was pleased with the software’s performance, which Wiser said dramatically improved VoIP call quality and ACD connectivity. With on-site firewalls, web filtering and traditional VPN capabilities already in place, however, it initially passed on using the Cato platform’s SASE features. Then, COVID-19 hit, and like countless other organizations, the company had to pivot to a work-from-home model almost overnight.

Focus quickly started using Cato’s internal traffic and web filtering functions and moved to add hundreds of newly remote call center representatives and administrators to the portal. “It has been a huge, huge benefit,” Wiser said.

A timely SASE deployment

Company: Thornton Tomasetti

Industry: Engineering consulting

Size: 42 offices worldwide

SASE vendor: Versa Networks

In 2019, the IT professionals at global engineering consulting firm Thornton Tomasetti started taking a long, hard look at how they managed their WAN, especially in terms of network security and access control.

Lance BrophyLance Brophy

“We recognized we were in a very reactive mode,” said Lance Brophy, IT director of operations transformation. With diverse hardware deployed inconsistently across the company’s 42 branch sites, the WAN security strategy lacked cohesion. Standardizing and streamlining WAN management, without increasing total spending, would be a win. “And, if we could manage the network better using fewer resources, that’s the home run we were looking for.”

His team launched a formal study exploring their options, and SD-WAN and SASE technology quickly caught their attention. Thornton Tomasetti’s leading vendor contenders included two established players, plus relative newcomer Versa Networks.

“Versa brought everything to the table we needed,” Brophy said, including cloud security, next-generation firewalls, threat management and role-based access control. “Under their SASE umbrella of services, they delivered more security-based features and at a lower price.”

Achieving a SASE model with either of the two alternative vendors would have required Thornton Tomasetti to replace much of its existing infrastructure, he added. “Versa allowed us to just replace our firewalls. We didn’t have to make an investment across our entire network portfolio.”

Brophy’s team, together with a third-party network management partner, began rolling out the SASE technology in January 2020 and wrapped up deployment across all 42 offices within 90 days. They started with Thornton Tomasetti’s two biggest offices, both in New York, with the idea that any unforeseen technical challenges would quickly become apparent there. Working around the network’s demilitarized zones required extra consideration and planning, for example. The team also found, through trial and error, that it had to involve some circuit providers in reassigning customer premises equipment devices but not others.

“That sounds fairly simple, and it was, once we understood what the problem was,” Brophy said. “But, at three in the morning when we were trying to figure out why we couldn’t connect to a telco provider, it was painful.”

The team had a couple of long, sleepless nights. In retrospect, Brophy said he might advise starting with a small pilot site and working up to larger locations later in a deployment project. “But we learned a lot and came out of it in a better position to move forward with the remaining offices,” he added. By the time the team had converted a third of Thornton Tomasetti’s total locations, they had reduced the cutover time to just 30 to 60 minutes per site.

“We finished just before COVID really hit. Folks were being sent home literally the Monday after we completed the last site,” Brophy said.

The SASE deployment’s lucky timing enabled Thornton Tomasetti to immediately pivot to securely supporting a newly dispersed workforce, which probably wouldn’t have been possible on the company’s traditional network infrastructure, Brophy said.

“We’ve been able to prove as a business that we can work as a remote workforce, something that we wouldn’t have even dreamed about a year ago,” he said. “And it’s got to be secure — that is key.”

Thornton Tomasetti has been extremely satisfied with Versa Networks’ SASE offering, but Brophy encourages organizations to do their own homework. “There are different feature sets and capabilities from vendor to vendor, so be aware of those. You need to find the one that meets your business requirements to make that right decision,” he said.

Vastaamo breach, bankruptcy indicate troubling trend

Stay informed about the latest enterprise technology news and product updates.

The blackmailing of patients directly, as well as the resulting bankruptcy of Vastaamo Psychotherapy Centre, could single a shift in cyber crime tactics.

First came the breach, then came the blackmail; now the Vastaamo Psychotherapy Centre has closed its doors for good.

Four months after revealing it suffered a data breach in which patient records were stolen, Finland’s largest psychotherapy center has declared bankruptcy. A significant part of the incident occurred after threat actors attempted to extort the center and threatened to release confidential therapy notes and sessions. When Vastaamo refused to pay the ransom, threat actors started blackmailing victims directly.

In a statement on its website, Vastaamo said the bankruptcy is a direct result of the data breach and blackmailing of patients.

“Vastaamo has been subjected to data breaches and blackmail. Unfortunately, the situation and its handling, as well as the uncertainty that followed the events, have driven the company into insolvency and Vastaamo has filed for bankruptcy on 11 February 2021,” the statement said (translated from the original Finnish).

SearchSecurity reached out to Vastaamo on how victims being extorted directly had affected the center. “Both Vastaamo and the individuals are victims of hacking and extortion, and obviously with grave impacts,” a spokesperson said in an email to SearchSecurity.

Infosec experts say this may become a trend.

In a live webinar on Tuesday titled “Attackers get personal: Email, blackmail and how healthcare data become prime target to cyber attacks,” F-Secure chief research officer Mikko Hypponen said hackers stole the private therapy notes of 31,980 patients and then “after failing to blackmail the therapy to pay a ransom, started blackmailing patients directly themselves.” That, along with other reasons, make this case rare.

According to Hypponen, F-Secure has a handful of cases where they know blackmailers steal medical information, but even less where they start blackmailing patients. Another rarity: going bankrupt directly as a result of this attack.

“When we look at the history of big hacks, companies suffer but they rarely fold. Companies survive even massively large hacks — the CEOs, CISOs get fired all the time — but in general, companies survive. Even in cases where you think there’s no way they can survive — like Ashley Madison, Sony Pictures, Equifax, Yahoo. Of course, there are companies that didn’t survive. Vastaamo isn’t the only one, but it’s surprisingly rare,” he said during the webinar. “In general, it doesn’t happen.”

The original breach occurred in 2018 and impacted tens of thousands of Vastaamo patients. As of November, 25,000 criminal reports had been submitted to Finland police. However, Marko Leponen, detective chief inspector at Finland’s National Bureau of Investigation, told SearchSecurity in an email that while they don’t have exact numbers, they believe only 10 to 20 victims actually paid the ransoms. Additionally, Leponen said as far as they know, the extortion attempts ceased after the initial weeks following the breach disclosure.

While it is unknown why threat actors stopped extorting victims, Malwarebytes researcher Pieter Arntz said there is speculation that they exaggerated the number of patient files they had access to because the stopped publishing patient data online after the first 200 samples.

“Or there is the distinct possibility their conscience finally kicked in,” he said in an email to SearchSecurity.

Instances like the Sony Pictures hack, the Ashley Madison dating site breach and other enterprise breaches that Hypponen referenced resulted in larger consequences, but as he said, they survived. Two major differences with Vastaamo is the sensitive medical information and blackmailing of victims directly, which Hypponen said may become a trend.

Prior to learning of the Vastaamo hack, Hypponen said he believed that most attackers are motivated by financial information.

“If you’re trying to make money with your criminal attacks, medical information is not a very good target for you. Well turns out, I might have been wrong,” he said during the webinar. “It might be now the case that we are seeing the beginning of the next trend — a trend where medical information is becoming a prime target for financially motivated criminals. They might not just be blackmailing the organization with the encryption of data, but the patients themselves.”

Jared Phipps, senior vice president at SentinelOne, told SearchSecurity that if the attack proves profitable, then it will become a trend.

“We have already seen them blackmailing organizations in several ways. First is the ransomware event. Second is telling victims, after the ransom has been paid that they have altered data and they need to pay for that to be cleaned up, which did not work. Now we see this. It’s just a constant evolution of attackers looking for ways to make money — if they make money on this one you will see it happen again and again,” he said in an email to SearchSecurity.

On the other hand, Kaspersky Lab researcher Kurt Baumgartner told SearchSecurity the trend has already started.

“In the JPMorgan breaches of 2014, the criminals targeted the bank’s high-wealth customers. There are other examples since then, so we have seen this sort of customer targeting before. Do I think blackmailing health care customers will become a trend? I think that it already happens, but for now, it seems a fairly niche phenomenon,” he said in an email to SearchSecurity.

Hypponen said it may actually be two different trends combining for what he refers to as “ransomware 2.”

“Not just encrypting but stealing the information and blackmailing. It was started in just January 2020 by Maze. It’s an effective way of getting money from organizations even if the organizations have good backups. Maze made so much, they retired,” he said during the webinar. “If data is stolen and running a leak site, it’s a hard position and this is the reason why we’ve seen over the last year companies pay the ransom more than ever. One reason companies pay these ransoms is medical information. They can’t afford this information to be posted on the public web, so they pay.”

In this case, Vastaamo did not pay, but some victims did. It is unclear if victims paying directly had any effect on the therapy center declaring bankruptcy. Arntz said the press release states that taking care of the aftermath cost Vastaamo so much that the liquidation process likely led to the bankruptcy. “It’s also important to realize that they could be facing a considerable GDPR fine if they were found to be careless with their customer data,” he said in an email to SearchSecurity.

According to Vastaamo’s statement, the “liquidator has entered into a preliminary agreement to sell the business to Verve,” a nationwide provider of occupational welfare services. Verve released a statement Feb. 2 which said it “entered into a preliminary agreement to acquire the psychotherapy business of psychotherapy center Vastaamo.”

Leponen said the investigation will continue even if the therapy center collapses.

Dig Deeper on Data security breaches