Data Exfiltration

After a security incident, it is vital to assess whether data has actually been taken from the business – data loss is known as exfiltration – taking it outside the network

Sensitive files might include the database of the patient management system, databases of imaging systems, word or pdf documents which identify patients.

Ransomware attacks are usually crude and do not attempt to exfiltrate data.  Nevertheless, it is important to have evidence that no exfiltration has occurred.

Exfiltration can occur via many different protocols for example http, https, ftp, tftp, smtp, pop, scp, sftp or any of these protocols within a tunnel such as ssh

A Next Generation Firewall gives the opportunity for some granular control over this.  A policy might, for example prevent the server hosting the sensitive data to contact the internet at all except for windows update.  The policy can log data traffic volume so you can be sure that a 1Gb file has not been sent from the server.   The NGFW can prevent the above protocols going out from the server and individual files can be fingerprinted or watermarked.

Having  these measures in place gives support to asserting that no data was lost and can justify not reporting a ransomware infection to the regulatory authorities.

Data Breach

One of the reasons we want to secure our network is to prevent the theft of data.  The data we are most anxious about losing is the health or identification information of our patients.   There are rules in Australia about when a data breach has occurred and what needs to be done.

Guidance is provided here .

The rules in the USA are more strict.  Guidance is here .

Now most ransomware attacks are not motivated by theft of data but rather the extortion of a ransom.  Even so, in the event of a security compromise, a framework must be used to determine whether a breach has occurred.

What network ports are identifiable

If you have any sort of remote access to your network or are running any sort of servers or phone system, then you will have ports open to the internet. When an outsider attempts to connect, the port may respond as open, closed or filtered

closed means the port is not listening. In technical terms, a RST is sent in response to an SYN. Open means an ACK is sent in response to the SYN. Hackers can try to identify what service is on the port. Filtered means no ACK is sent at all. There may or may not be a service behind the port

You can test what is visible with nmap. Some basic instructions are here

You can download nmap here, unzip it into a clean directory and run from a command prompt

In our case, nmap was able to identify the port and the type of vpn service that was running. Compiling a list of ip addresses, ports and services allows systematic and automated hacking