Brute Force Attack in the Medical Field

The Network:  An association in a specialty medical field is our customer who is dedicated to the highest standards of clinical care through education, research and the formulation of health care policy.

The Expectation: An external facing website is the heart of the operation, connecting members to each other and the various activities of the association.

The Catch: The EventTracker SOC (Security Operations Center) observed alerts from the Palo Alto firewall that brute force logins were observed against the Content Management System (CMS). This alert is triggered when ten or more attempts are noticed to the CMS login page.

The Find: The attempts originated from Indonesia and happened repeatedly for a period of time indicating a brute force attack to guess passwords.

The Fix: The EventTracker SOC promptly alerted the administrator to block external access from this attacker IP and provided critical recommendations for securing the CMS by:

  • password protecting the admin folder
  • disabling directory browsing
  • resetting passwords (especially admin)
  • renaming the default admin account
  • implementing two-factor authentication
  • updating the CMS package with latest patches

The Lesson: The risks of a cybersecurity incident are real and ever-present. Organizations must be vigilant and keep up with patching and defense in depth. Comprehensive log monitoring and correlation should be a high priority to protect the often-targeted healthcare industry.