CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Data Assessment in Healthcare: Knowing What Data You Have Is Half the Battle

When it comes to protecting personal healthcare information or a medical facility from cyberattacks or data breaches, the first step that must be taken is a thorough and exhaustive data assessment.

The data assessment will provide your organization with a complete understanding of:

  • Who has access to the data?
  • What types of sensitive information are stored?
  • Where is the data stored?
  • When was the data last modified?

Why? Because a cybersecurity team cannot be expected to protect something if it does not know it exists in the first place.

A data assessment can deliver the level of understanding that a cybersecurity practitioner needs to create a proper response plan in case of attack and make sure data is only accessible to those who need access.

The assessment cannot determine whether the people we find with access to a share should have that access. For the most part, we can tell an organization if the list of users we see with access to that share is appropriate based on how the organization has named the groups and the job titles of the individuals. We cannot say is if the members of these groups are appropriate because we don’t know these people or their roles. So, that’s something that the internal IT department must determine.

Therefore, the IT team should perform a quarterly review of access rights and group memberships.

Seeking Out Hidden Data

During this initial part of the journey, multiple paths can be taken to discover all the data hidden in an organization’s nooks and crannies.

The first avenue is to scan all the servers in the organization. The team can enumerate that list of servers from the organization's Active Directory, so the organization we are assessing does not have to supply any information. Or the organization can simply supply us with a list of the servers to be scanned.

At this point, the scanning utility will go through and scan all the shares on the server, including any hidden shares. The only requirement from our standpoint is that the organization must provide us with read-only access to the shares being scanned.

These scans can take a long time to complete, even working 24/7, depending upon the amount of data to be analyzed. Once the scanning process completes, the utility analyzes it for specific items or terms, such as PHI, PII, PCI, financial data, or potential General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) issues. We can also search for items of interest to the organization, say, for a particular project.

While one might think that an organization would have a pretty good idea of what its servers contain, it's often the case that we find thousands of files outside of their approved locations. It’s also common to identify people without a business need having access to sensitive material, which needs to be corrected. It's also common to find sensitive items like login credentials stored in plain text on open documents like PowerPoint slides.

The fact that so much data is found in unexpected places means an organization might not comply with its own policies and local privacy regulations.

If the organization’s policy is that all healthcare-related data must be destroyed after six years, the IT staff must know where that data is to accomplish this task. Otherwise, the records could remain hidden for years exposing the organization not only to regulatory fines but the data could be compromised during a data breach.

The Takeaway

It’s important for any potential client to know that a scan conducted as part of a data assessment does not look for malware or viruses. However, that does not mean the scan does not help improve an organization’s overall cybersecurity posture.

For example, suppose we discover that the entire organization has access to a particular share, and an attacker hits the organization with ransomware. In this case, this broad level of access will allow the malware to spread laterally with ease. However, if the share is limited to only those who require access, the malware will find it much more difficult to spread. So, by discovering and eliminating unnecessary access to a share, the organization can better lock down its data.

The other benefit to completing an assessment can be seen in a worst-case scenario when an attacker has gained entry and access to your data. Now that you know what data the attacker has accessed, you can properly respond. Without this knowledge, a targeted organization would be making decisions about how to respond in the dark, giving a tremendous advantage to the attacker.

For example, in many recent attacks, threat actors claim to have stolen records, credentials, and PII and threaten to make this information public if the victim does not pay the ransom. With an assessment in hand, you can verify what data might be in danger and respond properly to the attack.

Without a firm understanding of what you have inside your organization, it is difficult to assess the situation and make the best decision. Reach out to your Trustwave Account Manager to schedule a call with the Trustwave Cyber Advisory team to see if a Data Assessment Engagement is right for you.

Latest Trustwave Blogs

Trustwave, Telarus Announce Strategic Global Partnership

Trustwave is partnering with Telarus, a leading technology services distributor (TSD), which will allow it to leverage Trustwave’s comprehensive offensive and defensive cybersecurity portfolio and...

Read More

Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense

Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect...

Read More

Behind the Scenes of the Change Healthcare Ransomware Attack Cyber Gang Dispute

Editor’s Note – The situation with the Change Healthcare cyberattack is changing frequently. The information in this blog is current as of April 16. We will update the blog as needed. April 16, 2024:...

Read More