Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Transcription

1 Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, Today s Topics Concepts Case Study Sound Security Strategy 2 1

2 Security = Culture!! Security is a BUSINESS issue, NOT a technical issue!! Administrative Policies / Procedures (Standards) Physical Access Controls Technical Security Controls 3 Secure System Defined: A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford Security should provide: Confidentiality Integrity Availability 4 2

3 Security as a Discipline System Administration Keep systems up and running Everyone has access to what they need Features and functionality Can we add System Security No access to what you don t need No, No, No Then yes with business needs justification 5 Information Systems Clinical Applications EMR Financials Business Applications Database Systems Operating Systems 6 3

4 Information Systems Clinical Applications EMR Financials Business Applications Most controls and monitoring are focused here. Database Systems Operating Systems 7 Case Study Hospital Client Testing for Modems: War Dialing Testing Wireless: War Driving Lessons learned: Old, out of date systems w/default settings Reliance on vendors and vendor systems 8 4

5 Information Security Strategy 1. Protect 2. Detect 3. (Test and Verify) 4. Respond (Remediate) Protect Policies People, Rules, & Tools Configure Harden Physical Access 10 5

6 Strong Policy Should become part of organization s culture Think in terms of Standards Software/Hardware/Configuration standards Secure communication standards Password expiration / complexity rules / use Monitoring Provide the backbone for security Protect from social engineering 11 Configuration Management Configuration standards Secure the inside Harden initially default open systems Minimize and maintain services Secure the perimeter (In and Out!) Secure mobile devices and mobile data 12 6

7 Secure Internal Systems Hardening: Four Most Common Issues Excessive services running (by default) Weak default configurations Weak default authentication Excessive permissions 13 Default Open Everything is turned on Everyone/everything has maximum permissions Everything talks to everything Why? Interoperability Reduce Service calls Not as difficult to set up/configure Example: Telnet (application), SSH, and file permissions 14 7

8 Minimize / Maintain Services Each service has inherent vulnerabilities (provided over the Internet or internally) Default services especially at risk SMTP telnet FTP / tftp / anonymous FTP HTTP SNMP Understand risks accepted for services left open 15 Hardening Change default passwords (and account names) Enhance weak security configurations Restrict Anonymous Setting LM/NTLM hash mechanism/storage Lockout and auditing settings Especially on remote access (pcanywhere, VNC ) Etc Remove or restrict excessive permissions The Everyone group vs Authenticated Users group All users in the Local Administrators group 16 8

9 Resources Hardening Systems Hardening checklists: CIS offers vendor-neutral hardening resources Microsoft Security Checklists efault.mspx?mfr=true Ask your vendor/insist on secure software 17 Internet Perimeter Security Controls Need a layered approach: Firewall IDS/IPS filters Browser proxies In bound (ingress) as well as outbound (egress)! 18 9

10 Firewall Gateway between networks Internet and inside; inside and 3 rd party vendor Rules define what is and is not allowed Outside IN Inside Out this is frequently overlooked Default rules should be Deny All Then have specific Allows for particular services and hosts based on business needs 19 Firewall Some specific rules/examples: Only coming from the mail server/mail filter system itself is allowed out Only browser traffic coming from the proxy is allowed out All other outbound traffic is denied, except Lessons learned 20 10

11 Browser Proxies Analogous to sophisticated firewall for web browsing MS ISA Websense iprism Protects the interaction between client workstation and external web site 21 Browser Proxies Should have rules for what is and is not allowed White list/black list functions Restrictions on pages with active scripting Restrictions on file downloads (and uploads) Rules may be based on group membership Also very useful for: Tracking employee use and behavior/compliance Forensic purposes 22 11

12 Filters Process and inspect before it is delivered to the intended recipient Inside and Outside Like IDS/IPS and Firewall, should have rules for what is and is not allowed Protect against: Spam Viruses Other malicious code Spoofing Data leakage 23 Secure Mobile Devices and Mobile Data Laptops Is it really encrypted? Backup Tapes It s password protected, isn t that enough? Portable Storage Devices Ohio intern and the back up hard drive Phones and PDAs 24 12

13 Attacks on Mobile Devices A Chronology of Data Breaches Lost or Stolen Laptops Lost or Stolen Backup Tapes Lost or Stolen Storage Devices 25 Attacks on Mobile Devices Key protection strategies: Policies for storing data Anyone reports internally? Guess what Encryption Strong authentication Authentication for sleep mode Ability to wipe if lost or stolen 26 13

14 Physical Security - Solutions Segment facilities Public vs Private 2 factor authentication (e.g. card swipe plus PIN) How to bypass a finger print reader! Clear vendor/visitor verification Conspicuous, difficult to copy badges Console locks / screensaver passwords Live network data jacks (don t forget the phones) Employee awareness!! 27 Monitoring Different things to consider Routers and Firewalls IDS/IPS Mail system/filter Servers Workstations? Each one communicates and passes traffic at different levels Each has different capabilities Need to know what their strengths and weaknesses are 28 14

15 Monitoring Two places to monitor: Network traffic (IDS/IPS) Individual hosts (System & application logs) Two types of monitoring Signature based Heuristic/Statistical Anomaly/Standard baseline 29 Monitoring Too much traffic on modern networks for a person to monitor Volume Complexity Needle in a hay stack Need help need a tool 30 15

16 IDS/IPS Intrusion Detection System (IDS) Sophisticated monitor network based or host based Watches for known bad things Logs the bad things May generate alerts Intrusion Prevention System (IPS) More advanced IDS Has ability to deny or block bad things Should generate alerts 31 IDS/IPS Both IDS and IPS have tremendous value in a forensic investigation if They monitor and log traffic in both directions The logs are maintained (not overwritten or deleted) Need to understand what they are good at, and not so good at E-commerce over SSL ( ) 32 16

17 Monitoring Event Log Consolidator / Sys-log server Need centralized, automated system for pulling event logs from a variety of devices Should process logs and evaluate against pre-defined rule sets i.e. X failed logins in less than 10 seconds should generate an alert Use of USB/mass storage devices Not only useful from a security and audit perspective, also very useful as a trending and training tool for IT management 33 Monitoring Google: event log monitoring software Some good examples:

18 Patch Management What is this thing they call a patch? 99% of intrusions exploit known vulnerabilities Only 3% of business networks have all the latest Microsoft patches!!! Error in code allows attacker to do something NOT what it was designed to do! 35 Patch Management What is Patch Tuesday? MS WSUS patch management system 3 rd party applications do the same and more:

19 Patch Management Advisory Sites 3 rd party vendor advisory sites Microsoft Oracle Apple Others/CERT 37 Patch Management But the patches always break our applications... Need for a Development/Test environment VMWare MS Virtual PC 38 19

20 Patch Management Beyond the test environment, you need a process Test group 1 Test group 2 General rollout at groups A, B, C Will need a process to monitor patch completeness 39 Detect - Test Need a process to independently validate completeness Configuration management Implementation/Change management Patch management/vulnerability management Anti-virus management User account management Monitoring effectiveness The challenge of Administrative Completeness 40 20

21 Vulnerability Management Remember the strategy Protect, Detect, Test, Respond, Remediate Need to include a vulnerability testing/monitoring/management component Should supplement 3 rd party vulnerability assessments Some of the patch management tools will incorporate some of this functionality, but be careful 41 Incident Response Plans and Procedures Incident Response Policy Documentation is readily available BEFORE hand Where is the patient data Structured procedures Defined communication Understand notification requirements Chain of command Escalation procedures 42 21

22 Closing Case Study Phishing and Administrative Completeness 43 Closing Harden the infrastructure and systems Systems need to be configured to monitor and alert Choose appropriate tools to automate as much of the monitoring and alerting as possible Periodically validate the systems are behaving as expected 44 22

23 Questions? Randy Romes, CISSP, MCP (612) Presentation: 45 Resources Hardening Checklists: Data Breaches Breach Notification Requirements: Notification_Laws_State_By_State Monitoring tools

24 Resources Patch Management Tools Advisory Sites: Microsoft Oracle Apple Others/CERT