Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, 2009. Concepts.

Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, 2009 1 Today s Topics Concepts Case Study Sound Security Strategy 2 1

Security = Culture!! Security is a BUSINESS issue, NOT a technical issue!! Administrative Policies / Procedures (Standards) Physical Access Controls Technical Security Controls 3 Secure System Defined: A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford Security should provide: Confidentiality Integrity Availability 4 2

Security as a Discipline System Administration Keep systems up and running Everyone has access to what they need Features and functionality Can we add System Security No access to what you don t need No, No, No Then yes with business needs justification 5 Information Systems Clinical Applications EMR Financials Business Applications Database Systems Operating Systems 6 3

Information Systems Clinical Applications EMR Financials Business Applications Most controls and monitoring are focused here. Database Systems Operating Systems 7 Case Study Hospital Client Testing for Modems: War Dialing Testing Wireless: War Driving Lessons learned: Old, out of date systems w/default settings Reliance on vendors and vendor systems 8 4

Information Security Strategy 1. Protect 2. Detect 3. (Test and Verify) 4. Respond 3 1 5. (Remediate) 4 5 2 9 Protect Policies People, Rules, & Tools Configure Harden Physical Access 10 5

Strong Policy Should become part of organization s culture Think in terms of Standards Software/Hardware/Configuration standards Secure communication standards Password expiration / complexity rules / use Monitoring Provide the backbone for security Protect from social engineering 11 Configuration Management Configuration standards Secure the inside Harden initially default open systems Minimize and maintain services Secure the perimeter (In and Out!) Secure mobile devices and mobile data 12 6

Secure Internal Systems Hardening: Four Most Common Issues Excessive services running (by default) Weak default configurations Weak default authentication Excessive permissions 13 Default Open Everything is turned on Everyone/everything has maximum permissions Everything talks to everything Why? Interoperability Reduce Service calls Not as difficult to set up/configure Example: Telnet (application), SSH, and file permissions 14 7

Minimize / Maintain Services Each service has inherent vulnerabilities (provided over the Internet or internally) Default services especially at risk SMTP telnet FTP / tftp / anonymous FTP HTTP SNMP Understand risks accepted for services left open 15 Hardening Change default passwords (and account names) Enhance weak security configurations Restrict Anonymous Setting LM/NTLM hash mechanism/storage Lockout and auditing settings Especially on remote access (pcanywhere, VNC ) Etc Remove or restrict excessive permissions The Everyone group vs Authenticated Users group All users in the Local Administrators group 16 8

Resources Hardening Systems Hardening checklists: CIS offers vendor-neutral hardening resources http://www.cisecurity.org/ Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/d efault.mspx?mfr=true Ask your vendor/insist on secure software 17 Internet Perimeter Security Controls Need a layered approach: Firewall IDS/IPS E-Mail filters Browser proxies In bound (ingress) as well as outbound (egress)! 18 9

Firewall Gateway between networks Internet and inside; inside and 3 rd party vendor Rules define what is and is not allowed Outside IN Inside Out this is frequently overlooked Default rules should be Deny All Then have specific Allows for particular services and hosts based on business needs 19 Firewall Some specific rules/examples: Only email coming from the mail server/mail filter system itself is allowed out Only browser traffic coming from the proxy is allowed out All other outbound traffic is denied, except Lessons learned 20 10

Browser Proxies Analogous to sophisticated firewall for web browsing MS ISA Websense iprism Protects the interaction between client workstation and external web site 21 Browser Proxies Should have rules for what is and is not allowed White list/black list functions Restrictions on pages with active scripting Restrictions on file downloads (and uploads) Rules may be based on group membership Also very useful for: Tracking employee use and behavior/compliance Forensic purposes 22 11

Email Filters Process and inspect Email before it is delivered to the intended recipient Inside and Outside Like IDS/IPS and Firewall, should have rules for what is and is not allowed Protect against: Spam Viruses Other malicious code Spoofing Data leakage 23 Secure Mobile Devices and Mobile Data Laptops Is it really encrypted? Backup Tapes It s password protected, isn t that enough? Portable Storage Devices Ohio intern and the back up hard drive Phones and PDAs 24 12

Attacks on Mobile Devices A Chronology of Data Breaches http://www.privacyrights.org/ar/chrondatabreaches.htm Lost or Stolen Laptops Lost or Stolen Backup Tapes Lost or Stolen Storage Devices 25 Attacks on Mobile Devices Key protection strategies: Policies for storing data Anyone email reports internally? Guess what Encryption Strong authentication Authentication for sleep mode Ability to wipe if lost or stolen 26 13

Physical Security - Solutions Segment facilities Public vs Private 2 factor authentication (e.g. card swipe plus PIN) How to bypass a finger print reader! Clear vendor/visitor verification Conspicuous, difficult to copy badges Console locks / screensaver passwords Live network data jacks (don t forget the phones) Employee awareness!! 27 Monitoring Different things to consider Routers and Firewalls IDS/IPS Mail system/filter Servers Workstations? Each one communicates and passes traffic at different levels Each has different capabilities Need to know what their strengths and weaknesses are 28 14

Monitoring Two places to monitor: Network traffic (IDS/IPS) Individual hosts (System & application logs) Two types of monitoring Signature based Heuristic/Statistical Anomaly/Standard baseline 29 Monitoring Too much traffic on modern networks for a person to monitor Volume Complexity Needle in a hay stack Need help need a tool 30 15

IDS/IPS Intrusion Detection System (IDS) Sophisticated monitor network based or host based Watches for known bad things Logs the bad things May generate alerts Intrusion Prevention System (IPS) More advanced IDS Has ability to deny or block bad things Should generate alerts 31 IDS/IPS Both IDS and IPS have tremendous value in a forensic investigation if They monitor and log traffic in both directions The logs are maintained (not overwritten or deleted) Need to understand what they are good at, and not so good at E-commerce over SSL (https://www.abcfcu.com/survey ) 32 16

Monitoring Event Log Consolidator / Sys-log server Need centralized, automated system for pulling event logs from a variety of devices Should process logs and evaluate against pre-defined rule sets i.e. X failed logins in less than 10 seconds should generate an alert Use of USB/mass storage devices Not only useful from a security and audit perspective, also very useful as a trending and training tool for IT management 33 Monitoring Google: event log monitoring software Some good examples: http://www.gfi.com/eventsmanager/esmfeatures.htm http://www.microsoft.com/mom/default.mspx http://www.kiwisyslog.com/ http://sourceforge.net/projects/snare/ 34 17

Patch Management What is this thing they call a patch? 99% of intrusions exploit known vulnerabilities Only 3% of business networks have all the latest Microsoft patches!!! Error in code allows attacker to do something NOT what it was designed to do! 35 Patch Management What is Patch Tuesday? MS WSUS patch management system 3 rd party applications do the same and more: www.patchlink.com www.altiris.com/products/patchmanagementsolution.aspx www.shavlik.com 36 18

Patch Management Advisory Sites 3 rd party vendor advisory sites Microsoft http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx Oracle http://www.oracle.com/technology/support/patches.htm Apple http://docs.info.apple.com/article.html?artnum=106704 Others/CERT http://www.us-cert.gov/cas/bulletins/sb07-267.html 37 Patch Management But the patches always break our applications... Need for a Development/Test environment VMWare MS Virtual PC 38 19

Patch Management Beyond the test environment, you need a process Test group 1 Test group 2 General rollout at groups A, B, C Will need a process to monitor patch completeness 39 Detect - Test Need a process to independently validate completeness Configuration management Implementation/Change management Patch management/vulnerability management Anti-virus management User account management Monitoring effectiveness The challenge of Administrative Completeness 40 20

Vulnerability Management Remember the strategy Protect, Detect, Test, Respond, Remediate Need to include a vulnerability testing/monitoring/management component Should supplement 3 rd party vulnerability assessments Some of the patch management tools will incorporate some of this functionality, but be careful 41 Incident Response Plans and Procedures Incident Response Policy Documentation is readily available BEFORE hand Where is the patient data Structured procedures Defined communication Understand notification requirements Chain of command Escalation procedures 42 21

Closing Case Study Email Phishing and Administrative Completeness 43 Closing Harden the infrastructure and systems Systems need to be configured to monitor and alert Choose appropriate tools to automate as much of the monitoring and alerting as possible Periodically validate the systems are behaving as expected 44 22

Questions? Randy Romes, CISSP, MCP (612) 397-3114 rromes@larsonallen.com Presentation: http://www.larsonallen.com/technology/presentations.asp 45 Resources Hardening Checklists: http://www.cisecurity.org/ http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true Data Breaches http://www.privacyrights.org/ar/chrondatabreaches.htm Breach Notification Requirements: http://www.csoonline.com/article/221322/cso_disclosure_series_data_breach_ Notification_Laws_State_By_State Monitoring tools http://www.gfi.com/eventsmanager/esmfeatures.htm http://www.microsoft.com/mom/default.mspx http://www.kiwisyslog.com/ 46 23

Resources Patch Management Tools www.patchlink.com www.altiris.com/products/patchmanagementsolution.aspx www.shavlik.com Advisory Sites: Microsoft http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx Oracle http://www.oracle.com/technology/support/patches.htm Apple http://docs.info.apple.com/article.html?artnum=106704 Others/CERT http://www.us-cert.gov/cas/bulletins/sb07-267.html 47 24