Embed Size (px)
Citation preview
Lower Cybercrime Costs!
Attack Humans...
Anatomy of a Breach
Data Breaches Are a Significant Risk
• Cost of data breach rose to $202 for each compromised record
• Average cost of a healthcare breach was $355 for each record
• Average expense to an organization was $6.6 million
• Mobile devices and laptops are responsible for the growing number of
breaches
Do you even know if you’ve already been breached?
4
Let’s Get Our Language Straight First!
• Vulnerability — any weakness that could be exploited.
Unencrypted laptop, jump drive, email, inadequate policies and procedures,
metadata, unpatched systems, poorly trained employees.
• Exploit — a known way to take advantage of a vulnerability.
Executing code, Trojans, Viruses, Scripts, Ransomware
• Vector — method used to get to the target
Phishing, Malware, Hacking, Botnets, Trojan toolkits, key loggers, and other
malware
• Threats — can be either "intentional" (individual hacker or criminal
organization) or "accidental“ (user carelessness or mistake)
Hackers, organized crime, foreign governments, disgruntled, or untrained
employees
Let’s Talk About the Threats
and the Threat Actors
The Arms Dealer
• The “Arms Dealer” is a hacker who develops and sells malware and
other hacking tools and exploit kits to other cybercriminals. They can
include those who rent out massive botnets or sell Trojan toolkits, key
loggers and other malware on the black market. They can quickly and
easily modify their malware and sell new versions when antivirus and
antimalware security tools shut down the old versions.
– Shadow Brokers (NSA Tools)
– Vault 7 (CIA Tools)
The Contractor
• Teams of hackers who rent out their services. Often considered to reside
in China, Russia or Eastern Europe, these ‘hackers for hire’ can be a
small business of one to two individuals or part of a larger, organized
crime syndicate capable of running multiple operations at once. They
possess a variety of skills necessary for breaching networks and stealing
data. Unfortunately, the hacker-for-hire is a well established industry and
services often start at just a few hundred dollars.
The Banker
• “The Banker” is highly focused on stealing credit and other financial
information, including username and password credentials or other
personally identifiable information that can be treated like a commodity
easily sold and traded on the black market. These hackers are often
based in China, Russia or Eastern Europe and can be individual actors
or part of an organized crime group. They may use phishing attacks to
capture user credentials, or employ more advanced malware to steal
valuable data from an organization’s network.
The Special Agent
• The Agent is in it for cash, creed or country. Typically are looking to steal
trade secrets, financial data or strategically important information on
energy and defense systems. These individuals deal in highly-targeted,
advanced persistent threats (APT) and cyber espionage. They may even
be a source within an organization working as a double agent.
• Attacks are costly, sophisticated and time-consuming. Therefore, the
hacker typically focuses on very high-value targets, such as large
corporations in the finance, IT, defense and energy sectors.
• Most come from China, Russia, or Eastern Europe, and are either
members of large criminal organizations or hackers working for foreign
governments.
The Online Anarchist
• A loosely organized group of underground hackers and pranksters,
mostly seeking to cause chaos for organizations or people they dislike,
or provide support for the causes they follow. These are the hackers who
often launch distributed denial of service attacks (DDOS) or deface a
company’s website to cause embarrassment or disrupt the company’s
activities.
• The group calling itself Anonymous and its subgroups LulzSec and
AntiSec are the most well known examples. These groups gained
notoriety from 2008 – 2012 with a series of high-profile attacks, but have
quieted down some in the past few years after one of the main leaders
was arrested and turned informant.
The Insider
• Employees, former employees, contractors, volunteers, business
partners, business associates, spouses, friends, etc.
• According to some studies, insider breaches are double that of outsiders
Intentional (disgruntled/revenge, amateur, explorer or plant)
• Individuals use their access to sensitive information for personal or financial gain
• Insiders align themselves with third-parties to gain access and/or share proprietary or sensitive
information
• Individuals either delete information or set a ‘logic bomb’ or ‘time bomb’
• Show offs, making a statement
Unintentional (accidental or carelessness)
Colleagues are unwilling or hesitant to accept the idea that a trusted co-
worker could be engaged in hacking
Signs may go unreported for years
It is hard to distinguish harmful actions from regular work
It is easy for employees to cover their actions
It is hard to prove guilt
Hacking Back
• A group of counter-hackers that catches hackers in the act. A team from
a hacked entity breaks into the hackers’ infrastructure on a selection of
overseas servers, finds a list of who exactly the attackers had phished,
as well as clues on their location. They strike back and delete the
siphoned data before more damage can be done.
• BEWARE — Those hacking back may be in violation of the United
States’ notorious Computer Fraud and Abuse Act, or, depending on what
exactly the hackers do, may also breach wiretapping legislation and face
criminal prosecution themselves. If the servers or other pieces of
infrastructure are based overseas, hackers working for victimized
companies may break foreign laws, too.
Let’s Dissect Some
Recent Breaches
Anatomy of a Breach ‒ Banner
• Number of records - 3.7 million people.
• The Attack - “Attackers allegedly were able to access hospital networks
through successful attacks against food services systems,” Sanabria
said. “I don’t know if Banner Health used a third-party to run its in-
hospital cafes and cafeterias, but like Target’s breach, which began with
a third-party HVAC vendor, there should have been no way to access
payment data from food services systems. These should have been
entirely segregated from one another – I can’t imagine any reason why a
cafeteria point-of-sale system would need access to systems storing
medical records.”
• Vulnerability – Privilege management
• Exploit – Most likely a phish
• Vector – Business Associate
• Threat
• Lesson Learned – Privilege Management
• Number of records - 80 million
• The Attack - began on Feb. 18, 2014, when a user within one of Anthem's subsidiaries
opened a phishing email containing malicious content.
Opening the email launched the download of malicious files to the user's computer and allowed hackers to gain remote access to that computer and dozens of other systems within the Anthem enterprise, including Anthem's data warehouse, the commissioners' investigation report says.
Starting with the initial remote access, the attacker was able to move laterally across Anthem systems and escalate privileges, gaining increasingly greater ability to access information and make changes in Anthem's environment, the investigative report says.
"The attacker utilized at least 50 accounts and compromised at least 90 systems within the Anthem enterprise environment including, eventually, the company's enterprise data warehouse - a system that stores a large amount of consumer personally identifiable information," the report notes. "Queries to that data warehouse resulted in access to an exfiltration of approximately 78.8 million unique user records."
• Vulnerability – Identity Management, Privilege Management, Auditing
• Exploit -
• Vector – Phishing, Subsidiary
• Threat – Foreign Government
• Lesson Learned – Auditing, Dual Factor Authentication, Privilege Management
“The problem is, while HIPAA requires that identifying information be encrypted, that protection goes by the
wayside once an attacker compromises an administrator's credentials. So even if the data was encrypted, it didn't
matter once the attacker(s) had total control over the database.”
Anatomy of a Breach ‒ Anthem
Anatomy of a Breach ‒ Equifax
• Number of records – 143M consumers and access to credit-card data of
209K
• The Attack
Cybersecurity breach started in May of 2017 and continued until discovered
on July 29.
Hack included credit card numbers for more than 200,000 Americans which
contain personal and identifying information.
• Vulnerability – Flaw in Apache open source software feature STRUTS
• Exploit/Vector – Attackers used file uploads to trigger a bug that allowed
them to send malicious code or commands to the server
• Threat – Foreign government
• Lessons Learned – Procedures/Implementation, Awareness, Patch
Management
• Number of records – Approx. 200,000 computers infected across 150
countries
• The attack — Ransomware
• Vulnerability — Windows' Server Message Block (SMB) protocol
• Exploit/Vector — ETERNALBLUE, an exploit generally believed to be
developed by the U.S. National Security Agency (NSA)
• Threat — China? North Korea?
• Lessons Learned — Obsolete OSs, Patches, Data Backup and Restore
WannaCry
• Number of records – Not disclosed
• The attack — Credential theft of email administrator
• Vulnerability — Single factor authentication
• Exploit/Vector — Unknown
• Threat — Unknown or Not disclosed
• Lessons Learned — Privileged Account Management, Login
management (this is why monitoring successful login is just as important
as failed logins)
Pretty embarrassing for a company that was once named the “best
cybersecurity consultant in the world” by Gartner.
Deloitte
Yahoo!
• Number of records — 3B
• The attack — Falsified login credentials to gain access to any account
without a password. Data taken includes names, email addresses,
telephone numbers, encrypted or unencrypted security questions and
answers, dates of birth, and hashed passwords.
• Vulnerability — Website security design - used manufactured web
cookies
• Threat — State sponsored actor (arguable), the FBI officially charged the
2014 breach to four men, including two that work for Russia's Federal
Security Service (FSB).
• Lessons Learned — They didn’t and still don’t have a clue. The next line
says it all.
21st Century Oncology
• Number of records — 2.2M
• The attack — 21st Century Oncology claims the FBI notified the
company of the breach on Nov. 13, 2015 and upon further investigation,
it was determined the breach occurred on Oct. 3, 2015.
• Vulnerability — Unknown
• Exploit — Unknown
• Vector — Unknown
• Threat — Unknown
• Lessons Learned — They didn’t and still don’t have a clue. The next line
says it all.
21st Century Oncology files for bankruptcy, 26 May 2017.
Common Vulnerabilities
Audience query!
Name some potential vulnerabilities
in your environment?
What is the Biggest Security
Issue You Face Today?
Over Confidence
In this 2017 security survey, the overall responses strongly suggest that
executive boards of enterprises and small to medium-size businesses
(SMBs) are confident of their cyberthreat preparedness, low
vulnerability, and data protection. The data reflects that their CIOs,
heads of IT, and even their CISOs are all equally clear:
we are secure.
Source - A SolarWinds® MSP Report on Cybersecurity Readiness for UK and US Businesses
Security equates to minimizing the risk
of a systems attack or data breach.
Over Confidence
But are they really secure or just over confident?
While 87% of organizations have complete trust in their security
techniques and technology—and 59% believe they are less vulnerable
than they were 12 months previously—71% of those same
organizations have been breached in the past 12 months. The belief
that “it will never happen to us” is prevalent.
Source - A SolarWinds® MSP Report on Cybersecurity Readiness for UK and US Businesses
Over Confidence
Companies looking to maintain or improve their security must pay
attention to these key principles, or their overconfidence can lead to an
extinction event for their business. So, why is this disconnect
occurring? Simply put, companies are overlooking basic security
principles:
1. Security policies are incomplete.
2. Security procedures are weak, inconsistently implemented and unmanaged.
3. User & IT training is massively under-prioritized.
4. Vulnerability awareness and reporting is often weak, or even nonexistent.
5. Widely accepted prevention techniques and processes remain overlooked.
6. Detection, response, and resolution times are all growing.
7. The majority of organizations make little or no changes to their technology or processes following
a breach.
Source - A SolarWinds® MSP Report on Cybersecurity Readiness for UK and US Businesses
HIPAA – Friend or Foe?
Procedures
Security Policies
Security Strategies
Business Vision
Align strategy with business goals.
Analyze technology architecture.
Evaluate role of third-parties.
Determine gaps that need policies.
Validate contingency and other plans.
Align policies with strategy.
Understand the business.
Understand future goals.
Document security procedures.
Develop plans for physical security.
Activities
Information Security
Officer
Department heads
Executive management
Security practitioners
Target Audience
Policies & Procedures
Security Mgmt. Process, Sec. Officer
Workforce Security, Info. Access Mgmt.
Security Training, Security Incident Proc.
Contingency Plan, Evaluation, BACs
Facility Access Controls
Workstation Use
Workstation Security
Device & Media Controls
Access Control
Audit Control
Integrity
Person or Entity Authentication
Transmission Security
Technical
Safeguards
for ePHI
Physical Safeguards
for ePHI
Administrative Safeguards
for ePHI
Privacy Rule
“reasonable” safeguards for all PHI
HIPAA Security Rule
Principles of Audit/Assessment
• Integrity — foundation of professionalism
• Fair Presentation — report truthfully and accurately
• Due Professional Care — diligence and judgment
• Confidentiality — security of information
• Independence — impartial and objective audit conclusions
• Evidence Based — reliable and reproducible conclusions
Risk Analysis/Assessment
• Required – First document requested
• Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of ePHI held
by the entity.
• Important considerations:
Is the current system configuration documented?
Has data sensitivity and integrity of data been considered?
Have threat sources – both natural and man-made – been identified?
Has a list of known system vulnerabilities been developed and maintained
current?
Firewall Systems
Critical Info &Vital Assets
IDS/IPS
Identity Management
Encryption
Physical Security
bizSHIELDTM Steps and Required Activities.
Defense In-Depth
Req. #1: Firewall Configuration
• The goal of this requirement is to ensure that firewalls, which are critical
security components, are configured and managed securely and
appropriately.
Addressing this requirement will require having policies, processes and/or
controls in place for things such as (as applicable):
• A formal change control process for testing and approving changes to firewall AND router
configurations
• Documenting current networking diagrams for all connections to/from the CDE
• Implementing a DMZ between the Internet and the Internal network
• Having a firewall between wireless networks and the CDE to block access
• Using roles or groups to manage firewalls
• Securing configuration files, as well as ensuring configuration files are synchronized
• Reviewing firewall and router configuration files at least every 6 months
Standard Implementation SpecificationsR = Required
A = Addressable
Security Management Process Risk Analysis R
Risk Management R
Sanction Policy R
Information System Activity Review R
Assigned Security
ResponsibilityR
Workforce Security Authorization and/or Supervision A
Workforce Clearance Procedure A
Termination Procedures A
Information Access
ManagementIsolating Health Care Clearinghouse Function R
Administrative Safeguards (Cont’d.)
Standard Implementation SpecificationsR = Required
A = Addressable
Access Authorization A
Access Establishment and Modification A
Security Awareness and Training Security Reminders A
Protection from Malicious Software A
Log-in Monitoring A
Password Management A
Security Incident Procedures Response and Reporting R
Contingency Plan Data Backup Plan R
Disaster Recovery Plan R
Administrative Safeguards (Cont’d.)
Standard Implementation SpecificationsR = Required
A = Addressable
Emergency Mode Operation Plan R
Testing and Revision Procedure A
Applications and Data Criticality Analysis A
Evaluation R
Business Associate Contracts
and Other ArrangementsR
Administrative Safeguards (Cont’d.)
Standard Implementation SpecificationsR = Required
A = Addressable
Facility Access Controls Contingency Operations A
Facility Security Plan A
Access Control and Validation Procedures A
Maintenance Records A
Workstation Use R
Workstation Security R
Device and MediaControls
Disposal R
Media Re-use R
Accountability A
Data Backup and Storage A
Physical Safeguards
Standard Implementation SpecificationsR = Required
A = Addressable
Access Control Unique User Identification R
Emergency Access Procedure R
Automatic Logoff A
Encryption and Decryption A
Audit Controls R
Integrity Mechanism to Authenticate EPHI R
Person or EntityAuthentication
R
Transmission Security Integrity Controls A
Encryption A
Physical Safeguards (Cont’d.)
Other Things to Consider
Texas House Bill 300Expands on HIPAA
• HB300 sets mandatory deadlines for training and requires breach notification for
all healthcare providers doing business in Texas.
– Training – 60 days
– Consumer Access – Provide to patient within 15 days of request
– Consumer Information Website - State Attorney General is required to maintain an
informational website
– Consumer Complaint Report - State Attorney General is required to submit a report to the
legislature annually that addresses the number and types of complaints privacy of PHI.
– Sale of PHI – Prohibited disclosure
– Notice of Authorization for Electronic Disclosure – Post notice in business in conspicuous
location, and on website
– Penalties and Enforcement – 3 tiers, capped at $250K annual
– Audits – THHS may request HHS conduct audit
– Standards for the Electronic Sharing of PHI, Standards for the Electronic Exchange of Health
Information - Review and adopt privacy and security standards for the electronic sharing of
PHI, ePHI.
– THSA Model Security Policies – 2010, Security Model for State and 12 regional HIWs
AICPA Service Organization Controls (SOC)
• Service Organization Controls (SOC) reports are designed to help
service organizations that operate information systems and provide
information system services to other entities.
– SOC 1: Controls at a service organization relevant to user entities internal
control over financial reporting. (Auditor’s opinion to Auditor)
– SOC 2: Controls at a service organization that are relevant to security,
availability, processing integrity confidentiality, or privacy. (Auditor’s opinion
to management, user entities and other specified parties)
– SOC 3: Controls at a service organization that are relevant to security,
availability, processing integrity confidentiality, or privacy. (Auditor’s opinion
to interested parties, e.g. the public)
Key point – SOC audits have scopes
SOC2
• SOC 2 measures controls specifically related to IT and Data Center
service providers.
• SOC 2 is divided into 2 types and 5 controls:
– Type 1 – report on the fairness of the presentation of management’s description of the
service organization’s system and the suitability of the design of the controls to achieve
the related control objectives included in the description as of a specified date.
– Type 2 - report on the fairness of the presentation of management’s description of the
service organization’s system and the suitability of the design and operating
effectiveness of the controls to achieve the related control objectives included in the
description throughout a specified period. (Reports will contain a description of the
control test and the results of those tests.)
• Controls
– Security
– Availability
– Processing integrity (ensuring system accuracy, completion and authorization)
– Confidentiality
– Privacy
HITRUSTReal Auditing Squared
1. Information Protection Program
2. Endpoint Protection
3. Portable Media Security
4. Mobile Device Security
5. Wireless Security
6. Configuration Management
7. Vulnerability Management
8. Network Protection
9. Transmission Protection
10. PasswordManagement
11. Access Control
12. Audit Logging & Monitoring
13. Education, Training &Awareness
14. Third-PartyAssurance
15. Incident Management
16. Business Continuity & Disaster Recovery
17. Risk Management
18. Physical & Environmental Security
19. Data Protection & Privacy
Based on Risk, the identified Control Requirements are
spread across 19 Domains
Key point – HITRUST audits have scopes
Closing Comments
• Activities vs. Effectiveness
• Be suspicious of anything quick, easy or convenient
